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FOREWORD 


The  Reliability  Engineering  Handbook  has  been 
prepared  to  fill  an  increasing  need  for  a  manual  of  reliabil¬ 
ity  methods  suitable  for  application  by  project  management 
and  engineering  personnel  within  the  Bureau  of  Naval 
Weapons — to  assist  in  the  full  exploitation  of  available 
reliability  assurance  measures  in  the  planning,  direction, 
and  monitoring  of  their  respective  development  programs. 

This  handbook  differs  from  others  in  that  it 
demonstrates  step-by-step  procedures  for  the  application 
of  methods  to  fulfill  specific  program  requirements,  and  it 
references  other  documentation  for  more  detailed  treatment 
of  the  principles  which  underlie  the  methods.  The  hand¬ 
book  attempts  to  satisfy  the  need  for  a  "digest”  of  these 
principles,  however,  through  practical  examples  drawn  from 
the  several  phases  of  the  system  life  cycle.  This  first 
edition  presents  specific  procedures  for  effective  planning, 
achievement,  management,  and  control  of  reliability,  with 
emphasis  on  the  conceptual  and  early  design  phases  of 
system  development. 
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CHAPTER  1 
INTRODUCTION 


1-1-1  to  1-1-2 


1-1  RELIABILITY  AS  AN  ENGINEERING  PRACTICE 


1-1-1.  The  Importance  of  Reliability 
to  System  Effectiveness 

Reliability  is  generally  defined  as  the 
“probability  of  successful  performance  under 
specified  conditions  of  time  and  use.”  As 
it  relates  to  military  products  —  weapon 
systems,  equipments,  components,  parts, 
and  even  the  processes  by  which  these  pro¬ 
ducts  are  combined  into  a  tactical  entity  — 
reliability  is  one  of  the  important  character¬ 
istics  by  which  the  tactical  suitability  of  a 
product  is  judged. 

In  the  case  of  the  weapon  system, 
tactical  suitability  is  measured  in  terms  of 
its  operational  effectiveness  in  the  intended 
tactical  role,  and  reliability  is  one  of  the 
more  consequential  of  the  effectiveness  par¬ 
ameters.  As  tactical  roles  and  “mission” 
requirements  become  more  sophisticated  —  to 
keep  pace  with  the  changing  threat  -  weapon 
systems  become  more  complex  in  the  func¬ 
tional  configuration  necessary  to  satisfy 
increased  performance  requirements.  As 
system  complexity  increases,  system  reli¬ 
ability  invariably  becomes  more  problem¬ 
atical  —  more  elusive  as  a  design  parameter. 
Not  only  does  it  become  more  difficult  to  de¬ 
fine  and  achieve  as  a  design  parameter, 
reliability  becomes  more  difficult  to  control 
and  demonstrate  in  production  and  thus  more 
difficult  to  assure  as  an  operational  charac¬ 
teristic  under  the  projected  conditions  of 
use.  These  difficulties  can,  at  most,  only 


be  minimized.  They  can  never  be  completely 
eliminated,  for  it  has  become  apparent  that 
a  predictable  upper  limit  of  reliability  feas¬ 
ibility  exists  for  a  given  system  concept  or 
design  approach. 

It  is  also  now  recognized,  however, 
that  with  the  exercise  of  very  deliberate  and 
positive  reliability  engineering  methods 
throughout  the  evolutionary  life  cycle  of  the 
weapon  system  —  from  the  early  planning 
stages  through  design,  development,  pro¬ 
duction,  and  the  inevitable  product  improve¬ 
ment  phases  -  this  upper  limit  of  reliability 
feasibility  can  be  attained,  and  perhaps 
exceeded.  Like  other  system  characteristics, 
reliability  is  a  quantitative  characteristic  — 
predictable  in  design,  measurable  in  test, 
assurable  in  production,  and  maintainable  in 
the  field.  Reliability  is  thus  controllable 
throughout  the  system  life  cycle  and  can, 
then,  be  monitored  and  guided  at  each  step 
of  system  development  to  assure  a  high  prob¬ 
ability  of  program  success  long  before  de¬ 
livery  of  the  system  to  the  Fleet. 

1-1-2.  Purpose  and  Scope  of  the  Handbook 

This  handbook  provides  step-by-step 
procedures  for  the  definition,  pursuit,  and 
acquisition  of  required  reliability  and  main¬ 
tainability  in  Naval  weapon  systems,  equip¬ 
ments,  and  components.  The  methods 
presented  are  generally  applicable  to  all 
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categories  of  weapon  system  elements  - 
electronic,  electro-mechanical,  mechanical, 
hydraulic,  chemical,  etc.  -  although  the 
examples  chosen  to  illustrate  the  applica¬ 
tion  of  specific  procedures  are  drawn  largely 
from  experience  with  electronic  and  electro¬ 
mechanical  systems  because  of  the  ready 
availability  of  documented  experience  with 
these  systems. 

Although  the  handbook  is  primarily  a 
“reliability”  handbook,  considerable  atten¬ 
tion  has  been  given  to  maintainability  as  a 
second  important  ingredient  in  the  system 
effectiveness  equation.  Procedures  are 
therefore  included  for  the  computation, 
assessment,  measurement,  and  specification 
of  maintainability  as  a  design  controlled 
characteristic  essential  to  overall  system 
operational  effectiveness. 

The  handbook  is  written  to  fill  three 
basic  needs  within  the  Bureau  of  Naval 
Weapons  and  its  contractor  facilities: 

Project  Management  - 

general  guidance  for  the  implementation 
of  selected  reliability  program  functions 
and  engineering  procedures  at  appro¬ 
priate  points  in  the  system  life  cycle. 

Project  Engineering  — 

step-by-step  demonstration  of  the 
engineering  procedures  used  in  the 
actual  performance  of  these  reliability 
program  functions. 

Design  Engineering  — 

procedures  and  technical  detail  suf¬ 
ficient  for  design  guidance  in  the 
actual  achievement  of  required  reli¬ 
ability  and  maintainability,  as  inherent 
features  of  design. 


1-1-3.  Reliability  is  a  “Growth”  Process 

Reliability  and  maintainability  are 
characteristics  that  can  be  both  created  and 
destroyed.  The  creation  of  a  reliable  product 
comes  from  planning,  designing,  testing, 
producing,  and  ultimately  using  the  product 
according  to  a  set  of  preconceived  “effec¬ 
tiveness-oriented”  procedures.  The  de¬ 
struction  or  degradation  of  reliability  in  an 
otherwise  satisfactory  product  comes  from 
ignorance  or  disregard  of  these  same  pro¬ 
cedures  at  any  single  point  in  the  evolution¬ 
ary  “growth”  cycle  of  the  reliability- 
acquisition  process. 

Reliability-oriented  procedures,  then, 
are  the  important  tools  by  which  reliability 
instinctiveness  and  craftsmanship  are  fos¬ 
tered,  evaluated,  and  guided  to  assure  a 
prescribed  rate  or  reliability  growth  during 
the  life  cycle  of  the  weapon  system,  from  the 
conceptual  stage  through  design,  develop¬ 
ment,  production,  and  Fleet  use  phases. 
Orderly  reliability  growth  does  not  come 
about  without  the  continuous  application  of 
effective  reliability  assurance  measures. 
Nor  can  it  survive  without  the  decisive  guid¬ 
ance  of  an  enlightened  management. 


1-1-4.  Organization  and  Use  of  the  Handbook 

Figure  1-1  identifies  applicable 
chapters  within  the  handbook  corresponding 
to  major  reliability  assurance  functions  to 
be  performed  in  the  design  and  development 
of  a  reliable  weapon  system.  The  functions 
are  listed  in  the  approximate  chronological 
order  of  their  application  during  the  develop¬ 
ment  phase,  and  for  this  reason  the  figure 
also  serves  as  a  basic  checklist  of  things  to 
be  done  in  planning  a  new  program. 
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Define  requirements 
Estimate  feasibility 
Allocate  reliability 

Prepare  a  TDP _ _ 

Prepare  a  specification 
Prepare  an  RFP 

Estimate  time  and  cost _ 

Prepare  contract  task  statement 
Formulate  a  design 
Review  a  design 
Evaluate  design  problems 
Evaluate  a  product  or  process 


Design  an  acceptance  test _ 

Plan  a  reliability  program _ 

Monitor  a  reliability  program 
Use  a  reliability  “feedback'*  loop 

Make  a  failure  analysis _ 

Make  a  field  evaluation 


Conduct  a  training  course 
Manage  a  reliability  program 


Figure  1-1.  Ready-Reference  Index  for  the  Performance  of  Specific  Reliability  Functions 
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KUAMJTY  PROGRAM  ACTIVITIES 


The  tactical  NEED  for  reliability  must  first  be  anticipated,  and  Specific 
^^2)  Operational  Requirements  (SOR’s)  must  reflect  this  need. 

Plans  must  then  be  laid  to  fulfill  the  reliability  need  (i.e.,  the  TDP): 
Reliability  requirements  defined  and  specified; 

Reliability  program  plans  formalized; 

Proposal  requests  and  contracts  documented; 

Reliability  is  thus  “planned-for”  from  the  start. 

(7)  The  reliability  program  is  implemented: 

Reliability  is  "monitored*’  continuously. 

®  The  conceptual  system  is  designed: 

“  Reliability  is  assessed  in  design  review; 

Design  is  revised  to  correct  deficiencies; 

Reliability  becomes  “designed-in’’  by  requirement. 

(7)  A  prototype  is  developed  according  to  the  design: 

Reliability  is  evaluated  by  test; 

Desimi  is  refined  to  correct  deficiencies; 

Reliability  is  “proven-in”  by  demonstration. 

( 7 )  The  system  is  produced  from  the  prototype  model: 

Parts,  materials,  and  processes  are  controlled; 

Equipment  acceptability  is  determined  by  test; 

Reliability  is  “built-in”  by  control. 

The  system  is  deployed  to  the  Fleet; 

Operators  ana  maintenance  technicians  are  trained; 

Operating  and  maintenance  instructions  are  distributed; 

Reliability  is  “maintained-in”  by  procedure. 

(5^  The  system  is  evaluated  to  determine  that  the  original  need  has  been  met,  and 
no)  the  feedback  loop  completes  the  cycle: 
v"  To  guide  product  improvements; 


Figure  1-2.  Points  of  Reliability  Practice  in  the  System  Life  Cycle 
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1-2  RELIABILITY  DOCUMENTS 
APPLICABLE  TO  THE  SYSTEM  LIFE  CYCLE 


1-2-1 


1-2-1.  The  System  Life  Cycle 

The  major  points  of  reliability  practice  in  a  typical  "system  life  cycle”  are  shown  in 
Figure  1-2.  Several  reliability  specifications  and  documents  have  been  adopted  by  the 
Bureau  of  Naval  Weapons  to  support  its  overall  reliability  assurance  program  —  to  give 
assurance  that  the  life  cycle  of  each  system  under  its  cognizance  does  ultimately  satisfy 
the  "need”  as  initially  anticipated.  These  reliability  documents  can  be  arranged  according 
to  their  applicability  at  different  points  in  the  life  cycle,  as  shown  in  Figure  1-3. 
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The  handbook  has  been  prepared  in  support  of  Bureau  of  Naval  Weapons  policies  and 
concepts  as  expressed  or  implied  in  these  documents.  Other  documentation  -  handbooks, 
technical  reports,  and  basic  reference  texts  —  has  also  been  considered  in  the  application  of 
engineering  and  management  procedures.  A  brief  description  of  these  documents  follows. 


1-2-2.  Specifications 

Reliability  Requireeients  for  Design 
of  Electronic  Equipment  or  Systems 

Outlines  procedures  to  insure  that  electronic  equipment  designs  will  have  a  high  level 
of  inherent  reliability  before  release  to  production.  Sets  forth  detailed  requirements  for 
feasibility  study  and  planning  of  the  proposed  design,  reliability  assessment  of  the  design, 
and  report  preparation  in  accordance  with  M1L-STD-441.  Prescribes  tests  for  parts,  sub- 
assemblies,  and  assemblies,  to  determine  compatibility  with  proposed  application  in  the 
design.  Prescribes  requirements  for  construction  of  prototype  models  and  updating  of  reli¬ 
ability  predictions  and  “desigp  approval”  testing.  Specifies  requirements  for  design  evalu¬ 
ation  test  reports,  and  final  reliability  report  at  completion  of  development. 


MIL-R- 22256 


MIL-R-22973 


Reliability  Index  Determination  for  Avionic  Equipment 


Establishes  requirements  and  procedures  to  determine  mean  life  of  avionics  equipment, 
by  testing  models  of  prototype,  preproduction,  or  production  equipment.  Specifies  require¬ 
ments  for  test  facilities,  test  conditions  and  duration,  and  definition  of  test  levels.  Outlines 
procedures  for  test  and  failure  data  recording,  failure  analysis  and  corrective  action,  MTBF 
estimation  for  prescribed  levels  of  confidence.  Sets  forth  detailed  requirements  for  engineer¬ 
ing  reports. 


Reliability  Assurance  for  Production  Acceptance 
of  Avionic  Equipment 

Establishes  requirements  and  procedures  to  assure  compliance  with  a  specified  MTBF 
requirement  for  production  acceptance  of  avionics  equipment.  Sets  forth  requirements  for 
equipments  to  be  tested,  test  equipment,  test  conditions  and  duration,  debugging  and  ther¬ 
mal  survey,  maintenance  rules,  and  test  data  records.  Defines  specific  conditions  for  five 
test  levels  (Levels  1  through  V)  with  respect  to  temperature,  altitude,  vibration,  humidity, 
heating  and  cooling  cycles,  and  input  voltage.  Provides  samples  of  suggested  test  data  logs, 
failure  and  repair  records.  Presents  sequential  plans  for  two  levels  of  consumer  risk.  Es¬ 
tablishes  requirements  for  preproduction  assurance,  requirements  apportionment  among  com¬ 
ponents  and  parts  for  acceptance  criteria,  vendor  control,  training,  etc.  Prescribes  contractor 
responsibility  for  failure  analysis  and  repair  or  corrective  action.  Outlines  accept/reject 
decision  criteria  and  procedures  to  be  followed  in  the  event  of  either  decision. 


MIL-R-23094 
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TEST  LEVELS 


Level 

Factor 

Conditions 

■ 

Temperature 

Input  Voltage 

25  ±  5°C  (68°F  to  86°F) 

Nominal  (within  range  specified  for  equipment) 

11 

Temperature 

Vibration 

Input  Voltage 

40  ±  5°C  (95°F  to  113°F) 

±  2g  non-resonant  frequency,  20  and  60  cps 

Max.  specified  voltage  +0  -2%  at  max.  temp.; 

Min.  specified  voltage  +2  -0%  at  min.  temp. 

III 

Chamber  Temperature 
Vibration 

Heating  Cycle 

Cooling  Cycle 

Input  Voltage 

-54°C  to  +55°C  (~65°F  to  131°F) 

Same  as  Test  Level  II 

Time  to  stabilize,  plus  3  hours 

Time  to  stabilize  at  the  low  temperature 

Same  as  Test  Level  II 

IV 

Temperature 

Vibration 

Heating/ Cooling  Cycles 
Input  Voltage 

-65°C  to  +71°C  (-85° F  to  160°F) 

Same  as  Test  Level  II 

Same  as  Test  Level  III 

Same  as  Test  Level  II 

1 

Temperature 

Altitude 

Humidity 

Vibration 

Input  Voltage 

50°  *  5°C  (113°F  to  131°F) 

Normal  (0  -  5000  ft.) 

Room  ambient  (up  to  90%) 

Same  as  Test  Level  II 

Nominal  (within  range  specified  for  equipment) 

Sy steal  Readiness/Maintainability;  Avionic  Systems  Design, 

General  Specification  for 

Specifies  one  of  the  major  requirements  for  system  effectiveness  as  it  relates  to  avion¬ 
ics  systems  and  subsystems.  Equipment  complying  with  these  requirements  shall  be  designed 
to  meet  the  requirements  for  maintainability  and  system  readiness  without  reduction  in  the 
functional  system  performance.  All  levels  of  maintenance,  including  certain  airborne  main¬ 
tenance  functions,  are  considered  in  this  specification. 


MIL-S-23603 


Quality  Program  Requirements 

Specifies  requirements  for  an  effective  and  economical  quality  program,  planned  and 
developed  in  consonance  with  the  contractor’s  other  administrative  and  technical  programs. 
Design  of  the  program  shall  be  based  upon  consideration  of  the  technical  and  manufacturing 
aspects  of  production  and  related  engineering  design  and  materials.  The  program  shall 


MIL-Q-9858A 
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assure  adequate  quality  throughout  all  areas  of  contract  performance  -  for  example,  design, 
development,  fabrication,  processing,  assembly,  inspection,  test,  maintenance,  packaging, 
shipping,  storage,  and  site  installation. 

All  supplies  and  services  under  the  contract,  whether  manufactured  or  performed  within 
the  contractor’s  plant  or  at  any  other  source,  shall  be  controlled  at  such  points  as  necessary 
to  assure  conformance  to  contractual  requirements.  The  program  shall  provide  for  the  pre¬ 
vention  and  ready  detection  of  discrepancies  and  for  timely  and  positive  corrective  action. 
The  contractor  shall  make  objective  evidence  of  quality  conformance  readily  available  to  the 
government  representative.  Instructions  and  records  for  quality  must  be  controlled. 

The  authorities  and  responsibilities  for  those  in  charge  of  the  design,  production, 
testing,  and  inspection  of  quality  must  be  clearly  prescribed.  The  program  shall  facilitate 
determinations  of  the  effects  of  quality  deficiencies  and  quality  costs  on  price.  Faei'ities 
and  standards  necessary  to  the  creation  of  the  required  quality  such  as  drawings,  engineer¬ 
ing  changes,  measuring  equipment,  and  the  like,  must  be  effectively  managed.  The  program 
must  include  an  effective  control  of  purchase  materials  and  subcontracted  work.  Manufactur¬ 
ing,  fabrication,  and  assembly  work  conducted  within  the'  contractor’s  plant  must  be  con¬ 
trolled  completely.  The  quality  program  also  encompasses  effective  execution  of  responsi¬ 
bilities  shared  jointly  with  the  Government  or  relating  to  government  functions  such  as 
control  of  government  property  and  government  source  inspection. 

Contract  Requirements  for  Aircraft  Weapon  Systems 
Engineering  Data  and  Tests 

Specifies  requirements  for  engineering  data  and  tests,  including  reports  of  contractor 
reliability  program  plans,  reliability  analyses  and  allocations,  reliability  test  plans,  and 
flight  test  results,  for  aircraft  weapon  systems. 


Contract  Requirements  for  Guided  Missile  System  Design  Data 


Specifies  requirements  for  design  data  to  be  furnished  under  contracts  for  guided 
missile  systems,  and  outlines  specific  reliability  monitoring,  testing,  evaluation,  and  report¬ 
ing  requirements. 


MIL-D-8684 


MIL-D-8706 


General  Specification  for  Reliability 

Covers  general  requirements  to  assure  that  reliability  is  given  adequate  and  uniform 
consideration  in  procurements  sponsored  by  the  Bureau  of  Naval  Weapons.  Requires  the 
achievement  of  a  prescribed  level  of  reliability  as  set  forth  by  the  contract.  Requires  the 
establishment  of  a  reliability  assurance  and  monitoring  program  by  the  contractor,  to  assure 
that  systems,  equipments,  and  components  meet  the  contract  requirements.  Prescribes,  in 
general,  also,  the  quality  assurance  provisions  by  which  compliance  with  the  requirements 
will  be  determined. 


WS-3250 
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Airplane  Strength  and  Rigidity  Reliability  Requirements, 

Repeated  Loads,  and  Fatigue 

Contains  the  reliability  criteria  and  repeated  loads  spectra  applicable  to  procurement 
of  airplanes,  including  a  tabulation  of  service-life  requirements  for  structural  design  of 
thirteen  types  of  Navy  aircraft  expressed  in  terms  of  flight  hours,  flights,  and  landings,  for 
particular  flight  maneuver  spectra. 


MIL-A-8866 


General  Specification  for  Maintainability 

Covers  general  requirements  for  contractors'  maintainability  programs  and  monitoring 
procedures,  and  prescribes  requirements  for  maintainability  prediction,  evaluation,  and 
reporting. 


WS-3099 


1-2-3.  Weapon  Requirements  Documents 


SAR-317 


Special  Aeronautical  Requirement:  Reliability  Analysis  for  Controls 
for  Aeronautical  Gas  Turbine  Power  Plants 


Specifies  a  procedure  for  analyzing  the  power  control  systems  of  aeronautical  gas 
turbine  power  plants  for  the  effects  of  component  malfunctions.  Power  control  systems  are 
here  defined  as  all  equipment  used  for  measuring  engine  controlled  variables  and/or  environ¬ 
ment  for  control  purposes  and  for  manipulating  engine  variables  for  the  purpose  of  maintain¬ 
ing  engine  operation  within  safe  and  satisfactory  limits  and  for  the  purpose  of  establishing 
the  required  power  or  thrust  condition.  Included  are  such  items  as  rpm,  pressure,  and  temper¬ 
ature  sensors;  actuators  for  manipulating  fuel  flow  and  engine  geometry  for  control  purposes; 
computers  with  interconnect  sensors  and  actuators;  and  power  supplies  such  as  electric 
generators  or  hydraulic  pumps  which  are  used  exclusively  for  the  control  system.  Control 
components  used  for  auxiliary  engine  services  other  than  producing  thrust  or  power,  such  as 
anti-icing,  afterburner  cooling,  bleed  air  for  airplane  services,  fuel  pumps,  nozzles,  mani¬ 
fold  or  fuel  lines,  are  not  included. 

Integrated  Maintenance  Management  for  Aeronautical  Weapons, 

Weapon  Systems,  Related  Equipment 

Establishes  the  policy,  terms,  and  conditions  governing  the  implementation  and  execu¬ 
tion  of  an  integrated  maintainability  and  support  program  for  weapons,  weapon  systems,  and 
related  equipments  to  be  procured  under  the  contract  in  which  this  document  is  cited.  It  is 
the  specific  intent  of  this  document  to  charter  the  Integrated  Maintenance  Management  Team 
to  manage  the  total  Logistic  Support  Program.  Accordingly,  this  document  is  designed  to 
develop,  early  in  a  program,  a  maintenance  plan  which  is  tailored  to  specific  commodities 
and  contracts.  The  procedural  details  formerly  spelled  out  in  an  effort  to  define  all  possible 
conditions  have  been  deleted. 
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WR-41 


Reliability  Evaluation 


Provides  guidance  in  the  collection  and  interpretation  of  failure  data  from  tests  and 
field  evaluations  to  assess  reliability  achievement  and  problem  areas. 


1-2-4.  Instructions 


DOD  INST  3200.6 


Reporting  of  RD  and  E  Program  Information 


Establishes  requirements  for  the  quantitative  definition  of  reliability  and  mainatin- 
ability  requirements  in  technical  development  plans  (TDP’s);  requires  a  complete  description 
of  the  program  plan  by  which  achievement  of  development  goals  are  to  be  assured.  Is  appli¬ 
cable  to  all  development  programs.  DOD  RDT&E  will  base  their  approval  of  budget  plans 
on  the  adequacy  of  the  TDP  as  defined  in  this  instruction. 


OPNAVINST  3910. 4A 


Technical  Development  Plan 


Provides  guidance  for  the  preparation,  submission,  review,  and  implementation  of 
technical  development  plans.  Implements  DOD  Instruction  3200.6  within  the  Department  of 
the  Navy. 


BUWEPINST  3910. 2A 


Instructions  for  Preparing  Technical  Development  Plans  (TDP’s) 


Translates  DOD  and  OPNAV  Instructions  for  direct  Bureau  of  Naval  Weapons  appli 
cation. 


1-2-5.  Military  Standards 


Reliability  of  Military  Electronic  Equipment 

Describes  factors  to  be  considered  in  the  study,  planning,  design,  and  construction  of 
prototype  models  of  new  equipment.  Provides  an  excellent  outline  of  required  contents  for 
reports  to  be  submitted  during  planning,  design,  and  development  phases.  Equally  applic¬ 
able,  in  principle,  to  non-electronic  systems. 


MIL-STD-441 


Definition  of  Terms  for  Reliability  Engineering 

Defines  terms  commonly  used  in  reliability  work.  Important  terms  and  symbols  are  pre< 
seated  in  Appendix  1  of  this  handbook. 


MIL-STD-721 
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MIL-STD-756A  Reliability  Prediction 

Establishes  uniform  procedures  for  predicting  the  quantitative  reliability  of  aircraft, 
missiles,  satellites,  electronic  equipment,  and  subdivisions  of  them  throughout  the  develop¬ 
ment  phases,  to  reveal  design  weaknesses  and  to  form  a  basis  for  apportionment  of  reliability 
requirements  to  the  various  subdivisions  of  the  product.  Graphically  portrays  the  effects  of 
system  complexity  on  reliability,  to  permit  the  early  prediction  of  tolerance  and  interaction 
problems  not  accounted  for  in  the  simple  multiplicative  case  and  provides  appropriate  k 
factors  by  which  to  adjust  MIL-HDBK-217  predictions  for  airborne,  missile,  and  space  envi¬ 
ronments. 

mii  cTn  7oi  Test  Levels  and  Accept/Reject  Criteria  for  Reliability 
_ _ _ _ _  of  Non-Expendable  Electronic  Equipment 

Outlines  a  series  of  test  levels  for  demonstration  tests  (also  known  as  reliability 
index  determination),  longevity  tests,  the  reliability  qualification  phase  of  production  accept¬ 
ance,  and  the  sampling  phase  of  production  acceptance.  Also  outlines  several  test  plans  for 
use  in  the  qualification  phase  and  the  sampling  phase  of  production  acceptance.  The  test 
plans  are  based  on  an  assumption  of  an  exponential  distribution.  This  standard  is  intended 
to  provide  uniformity  in  reliability  testing  for  the  following  purposes: 

(a)  Assist  the  preparation  of  military  specifications  and  standards  to  the  extent  that  standard 
test  levels  and  test  plans  are  used. 

(b)  Restrict  the  variety  of  reliability  tests  so  that  those  conducting  tests  can  better  estab¬ 
lish  facilities  therefor. 

(c)  Permit  more  realistic  comparison  of  reliability  data  resulting  from  tests. 


1-2-6.  Handbooks 

M-200A  Defense  Standardization  Manual 

Establishes  format  and  general  instructions  for  the  preparation  of  specifications, 
standards,  handbooks,  and  maintenance  manuals.  Appendix  V-C  suggests  60%  confidence 
level  for  acceptance  testing  of  parts  for  weapon  systems,  as  a  practical  approach  for  reduc¬ 
ing  equipment  development  time  and  costs. 

MIL-HDBK-217  Reliability  Stress  and  Failure  Rate  Data  for  Electronic  Equipment 

Provides  the  procedures  and  failure  rate  data  for  the  prediction  of  part-dependent 
equipment  reliability  from  a  stress  analysis  of  the  parts  used  in  the  design  of  the  equipment. 
Must  be  used  according  to  procedures  outlined  in  MIL-STD-756A  for  estimates  of  MTBF  and 
reliability,  at  the  system  level,  on  account  for  tolerance  and  interaction  failures,  and  to 
adjust  for  the  particular  “use"  environment. 
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Maintainability  Design  Criteria  Handbook  for  Designers  of 
Shipboard  Electronic  Equipment 

The  first  part  of  the  handbook  discusses  the  maintainability  concept.  The  second  part 
presents  a  brief  description  of  shipboard  physical  environment  and  a  summary  of  mainten¬ 
ance  personnel  qualifications.  Maintainability  design  criteria  relating  to  equipment  packag¬ 
ing,  modularization  and  micro-miniaturization,  testing,  displays  and  controls,  cables  and 
connectors,  and  other  design  considerations  are  presented  in  the  remaining  six  parts  of  the 
handbook.  The  design  features  recommended  in  this  handbook  are  based  almost  entirely  on 
maintainability  considerations.  Inasmuch  as  the  final  equipment  design  must  also  satisfy 
other  requirements  of  the  design  specifications,  such  as  those  for  reliability,  operation,  and 
size  and  weight,  discussions  of  tradeoffs  between  maintainability  and  other  specified  require¬ 
ments  are  included  in  various  parts  of  the  handbook. 


NAVSHIPS  94324 


Sampling  Procedures  and  Tables  for  Life  and  Reliability  Testing 

This  handbook  describes  the  general  principles  and  outlines  specific  procedures  and 
applications  of  life  test  sampling  plans  for  determining  conformance  to  established  reliability 
requirements. 


H-108 


1-2-7.  Procedures  Related  to  Specific  Documents 

Most  of  the  reliability-maintainability-effectiveness  documents  described  above  ex¬ 
plicitly  define  certain  engineering  or  management  procedures,  test  plans,  and  data  require¬ 
ments  to  be  complied  with  in  fulfillment  of  contractural  requirements.  Similar  requirements 
are  implicitly  defined  in  others.  All  impose  a  responsibility  upon  the  applicable  project 
office,  contractor,  or  contracting  agency  to  do  certain  things  to  assure  ultimate  realization 
of  known  required  system  effectiveness  in  the  Fleet.  Figure  1-4  is  an  abbreviated  directory 
for  the  guidance  of  those  who  become  obliged  to  conform  to  the  requirements  of  a  particular 
document.  Opposite  each  document  identification  number  are  indicated  those  sections  of  this 
handbook  that  will  prove  helpful  in  satisfying  these  requirements. 
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TO  FULFILL  REQUIREMENTS 
OF  THESE  DOCUMENTS 


USE  THESE  CHAPTERS  OF 
THE  HANDBOOK 
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1-3  RELATIONSHIP  OF  RELIABILITY  AND  MAINTAINABILITY 
TO  SYSTEM  EFFECTIVENESS 


1 


1-3-1.  System  “Operational”  Effectiveness 

The  “worth”  of  a  particular  system  or 
piece  of  equipment  is  determined  primarily 
by  the  effectiveness  with  which  it  does  its 
job  —  its  "operational”  effectiveness.  An 
acceptable  level  of  effectiveness  is  required 
of  every  system  destined  for  tactical  use. 
Emphasis  on  reliability  alone  does  not 
necessarily  produce  the  required  level  of 
effectiveness.  Other  factors  must  be  con¬ 
sidered  simultaneously.  These  are  shown 
in  Figure  1-5. 

Each  of  these  characteristics  can  be 
expressed  as  a  “probability”  of  successful 
fulfillment  of  requirements,  defined  as 
follows: 


Performance  capability  is  the  prob¬ 
ability  that  the  system^  will 


satisfy  mission  performance  re¬ 
quirements  when  operating  within 
specified  design  limits  -  a 
measure  of  “how  well”  it  does 
its  job  when  working  properly. 

Operational  reliability  is  the  prob¬ 
ability  that  the  system  will 
maintain  a  specified  level  of 
performance  throughout  a  given 
mission  —  a  measure  of  “how 
long”  it  is  capable  of  working 
without  failure. 


Tactical  availability,  or  operational 
readiness,  is  the  probability  that 
at  any  point  in  time  the  system 
will  be  ready  to  operate  at  a 


MHOW  WELL”  "HOW  LONG"  "HOW  OFTEN" 

Figure  1-5.  Definition  of  Operational  Effectiveness 


l-^  The  words  “equipment”  and 
used  interchangeably. 


“system” 


can  be 
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specified  level  of  performance, 
on  demand  —  a  measure  of  “how 
often”  the  system  is  ready  when 
needed. 

Operational  effectiveness  is  the  pro¬ 
duct  of  these  three  characteristics,  i.e. : 


It  has  also  been  observed  on  the 
flight-line  that  1  set  in  10  is  usually 
being  worked  on,  and  consequently 
would  not  be  considered  operationally 
ready  for  use  if  needed.  Availability 
of  the  transceiver  for  flight  opera¬ 
tions  is  thus  determined  to  be  A  =  .9. 


Effectiveness  = 

Performance  x  Reliability  x  Availability 


Operational  effectiveness  of  an  equipment 
or  system  is  then  the  probability  that  it  can 
successfully  meet  an  operational  require¬ 
ment,  for  the  duration  of  the  need,  when  the 
need  arises. 

Other  factors  —  development  time  and 
cost,  logistic  supportability  —  also  enter 
into  an  evaluation  of  “worth”  during  system 
planning.  Within  the  bounds  set  by  these 
other  factors,  however,  operational  effec¬ 
tiveness  must  be  optimized  by  judicious 
balance  among  attainable  p  e  rfo  rm  an  c  e , 
reliability ,  and  availability  characteristics, 
taking  care  not  to  stress  the  importance  of 
one  at  the  exclusion  of  the  other  two. 

EXAMPLE:  A  VHF  transceiver  de¬ 
signed  for  100-mile  air-to-ground  line- 
of-sight  range  is  found  to  work  over 
this  range  90%  of  the  time  when 
properly  tuned.  The  performance 
capability  of  the  equipment  with 
respect  to  its  design  specification  is 
thus  P  =  .9. 

The  transceiver  has  also  demonstrated 
that  in  9  flights  out  of  10,  on  the 
average,  it  will  remain  in  operation 
for  5  hours  without  failure.  Its  re¬ 
liability  for  a  5-hour  mission  is  thus 
R  =  .9. 


Overall  effectiveness  of  the  trans¬ 
ceiver  for  5-hour  missions  of  100-mile 
range  is  then  estimated  from 

E  =  P  x  R  x  A 
-  (.9)  x  (.9)  x  (.9)  *  .73 

In  other  words,  the  tranceivers  in  7 
aircraft  in  a  flight  of  10  could  be  ex¬ 
pected  to  be  ready,  willing,  and  able 
to  satisfy  the  specified  tactical  com¬ 
munication  requirement  when  called 
upon. 


1-3-2.  The  Concept  of 

“Operational”  Reliability 

The  reliability  characteristic  of  an 
equipment  or  system  —  its  "operational 
reliability”  -  is  often  described  as  the  prod¬ 
uct  of  two  constituent  factors: 

•  An  inherent  reliability  achieved  in  design 
and  manufacture;  and 

•  A  use  reliability  degradation  factor  attrib¬ 
utable  to  the  shipping,  handling,  storage, 
installation,  operation,  maintenance,  and 
field  support  of  the  system. 

These  are  shown  in  Figure  1-6. 
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Rj  =  Probability  that  the 
equipment  design  will 

?|ive  satisfactory  per- 
ormance  under  speci¬ 
fied  conditions  of  usa, 
based  on  an  inherent 
failure  rate.  A,. 


kf  =  Factor  by  which  actual 
system  failure  rate  \% 
differs  from  the  inher¬ 
ent  value.  \%  =  krAr 


Figure  1-6.  The  Concept  of  Operational  Reliability  as  a  Combination  of  Two  Factors 


Operational  reliability  approaches  the 
value  of  inherent  reliability  as  development 
teat  conditions  approach  and  more  nearly 
simulate  use  conditions  and,  conversely,  as 
use  conditions  approach  the  idealized  test 
conditions  under  which  the  value  of  inherent 
reliability  is  measured,  i.e.,  kr  =  1*  It  is 
quite  obvious  that  the  design  concept,  the 
development  program,  the  manufacturing 
process,  and  the  reliability  test  program  must 
realistically  anticipate,  and  “build  to”,  the 
use  requirement. 

It  is  equally  important  that  the  tactical 
user  understand  the  design  intent  of  the 
equipment  if  its  inherent  reliability  potential 
is  to  be  fully  exploited  in  the  field. 

EXAMPLE:  The  “bench-test”  reli¬ 
ability  of  an  airborne  equipment  is 


measured  repeatedly  and  found  to 
demonstrate  a  mean  life  (MTBF)  of  50 
hours.  In  actual  Fleet  use,  however, 
the  same  equipment  repeatedly  dem¬ 
onstrates  an  MTBF  of  only  25  hours. 
This  indicates  a  2-to-l  reduction  in 
equipment  life,  due  to  differences 
between  “test”  conditions  and  “use” 
conditions.  These  differences  are 
reflected  in  the  factor  k^due  in  this 
case  to  a  value  of  kr  =  2. 


•^The  factor  kj.  operates  on  equipment  failure  rate.  In 
the  reliability  expression  lor  the  exponential  case, 

R»  =  e-Xi‘ 

Rs  =  e'krXit  =  e'Xs* 

Ag  =  krAj 


and 

where 
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1-3-3.  Reliability  Definitions 

The  reliability  of  a  product  is  generally 
defined  as  the  probability  that  the  product 
will  give  satisfactory  performance  for  a 
specified  period  of  time  when  used  under 
specified  conditions.  When  applied  to  a 
specific  equipment  or  system,  reliability  is 
frequently  defined  as 

—  “the  probability  of  satisfactory 
performance  for  specified  time  and 
use  conditions’’;  or 

—  “the  probability  of  a  successful 
mission  of  specified  duration  under 
specified  use  conditions’’;  or 

—  “the  probability  of  a  successful 
[eventjunder  specified  conditions’  ’, 
where  the  event  may  be  a  missile 
launch,  a  flight,  an  intercept,  or 
an  “actuation”  independent  of 
time. 

Whenever  the  definition  is  worded  to 
fit  a  particular  system  or  device,  it  is 
always  necessary  to  relate  probability  to  a 
precise  definition  of  “success”  or  **• satis¬ 
factory  performance to  specify  the  time 
base  or  operating  cycles  over  which  such 
performance  is  to  be  sustained;  and  to 
specify  the  environmental  or  use  conditions 
which  will  prevail  during  this  time  period. 


00-65-502 

As  a  general  rule,  applicable  to  most 
electronic  equipment  of  conventional  de¬ 
sign,-^  a  simple  relationship  exists  between 
the  reliability  of  an  equipment  and  its  mean 
life,  or  mean-time-between-failures  (MTF  or 
MTBF).^/  This  relationship  is  the  “ex¬ 
ponential”  case,  which  holds  when  the 
“failure  rate”  of  the  equipment  is  constant 
during  its  service  life,  shown  by  the  follow¬ 
ing  equation: 

R  (for  “t”  hours)  =  e*l/MTBF 


Because  of  this  relationship,  reliabil¬ 
ity  may  be  expressed  in  terms  of  an  allowable 
mean-time-between-failures  (MTBF)  or  mean 
life  (6).  An  exponential  function  is  illus¬ 
trated  in  Figure  1-7. 

Failure  rate  in  the  above  exponential 
case  is  the  reciprocal  of  mean  life,  repre¬ 
sented  by  FR  or  A  (lambda): 

FR  =  1  _  1  _  L  _  x 

MTBF  ~  MTF  d 


^Designs  in  which  redundancy  has  not  been  used 
extensively. 

4/“MTF”  and  “MTBF”  are  frequently  used  inter¬ 
changeably,  although  MTF  usually  applies  to  the 
mean  life  of  “one-shot”  or  non-repairable  items. 
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Figure  1-7.  Exponential  Reliability  Function 


1-3-4.  Describing  the  Reliability  Requirement 

Figure  1-8  shows  the  relationship 
among  the  three  basic  definitions,  applied 
to  the  same  equipment  at  points  1,  3,  and 


4.  Point  2  shows  the  choice  of  a  probability 
definition  to  describe  a  high  reliability  re¬ 
quirement  for  a  short  mission,  where  time- 
to-failure  thereafter  is  of  secondary  im¬ 
portance. 
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RELIABILITY 


Figure  1-8.  Probability  and  Time  Relationships  in  the  Definition  of  Reliability 


1-3-5.  Concept  of  “Tactical"  Availability  •  An  availability  degradation  factor  exper¬ 
ienced  in  use  —  the  degrading  effect  of 
Like  reliability,  tactical  availability  actual  use  conditions  on  the  maintainabili- 
can  be  considered  as  a  combination  of  two  ty  and  supportability  of  the  equipment, 
factors:  attributable  to  the  degree  of  qualification 

of  maintenance  personnel,  adequacy  of 
•  An  “ intrinsic ”  availability  achieved  in  test  and  repair  facilities,  sufficiency  of 
design  -  the  probability  that  the  equip-  spares  provisioning,  etc. 
ment  will  be  operationally  ready  when 

needed  at  any  point  in  time,  under  speci-  Figure  1-9  illustrates  this  concept, 

fied  conditions  of  maintenance  and  logistic 
support;  and 


1-19 


1-3-5  to  1-3-6 


NAVWEPS  00-65-502 


A.  =  Probability  that  th« 
equipment  design  will 
satisfy  availability 
requirements  under 
specified  conditions, 
based  on  an  intrinsic 
repair  rate,  ni  achieved 
in  design. 


k0  =  Factor  by  which  actual 
system  repair  rate 
differs  from  the  intrin¬ 
sic  value.  =  ka#V 


Figure  1-9.  Concept  of  Tactical  Availability  as  a  Design  Value  and  Use  Factor 


1-3-6.  Availability  as  a  Function  of 
Equipment  Maintainability 
and  Mean  Life 

Availability  is  defined  as: 

A  =  MTBF  _  1  =  1 

MTBF  +  Tr  1  +  Tr/MTBF  1  +  A/#» 

where  MTBF  =  Mean  -time-between- 
failures  or  mean  life; 

Tr  =  Mean-time  - to  -  restore 
equipment  to  operating 
status  following  failure 

=  Mean  downtime  for  repair. 


A  =  Equipment  failure  rate 

1 

MTBF 

H  =  Equipment  repair  (restor¬ 
ation)  rate 

=  J_ 

Tr 

(Tr  and  n  include  admin¬ 
istrative  and  logistics 
downtime.) 

If  the  ratio  Tr/MTBF  is  known,  equip¬ 
ment  availability  can  be  derived  from  Figure 
1-10. 
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EXAMPLE:  A  weapon  control  system 
has  a  mean-time-between-failures, 
MTBF  =  20  hours.  Maintenance  logs 
show  a  mean-time-to-restore,  Tr  =  5 
hours,  including  time  required  to  local¬ 
ize  the  failure,  obtain  the  replace¬ 
ment  part,  make  the  repair,  and  per¬ 


form  post-maintenance  checkout.  The 
ratio  Tr/MTBF  =  5/20  =  .25  is  used  to 
find  availability  in  Figure  1-10.  In  this 
case,  A  =  .8,  i.e.,  the  weapon  control 
system  can  be  expected  to  be  in  a  state 
of  operational  readiness  when  needed 
8  times  in  10,  on  the  average. 


AVAtAMITY 


Figure  1-10.  Availability  asa  Function  of  Mean-Time-To-Restore/M#an-Time-Between-Failures 
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1-3-7.  Describing  the 

Availability  Requirement 

The  availability  requirement  can  be 
described  either  as  a  required  probability  of 
operational  readiness,  or  as  a  maintain¬ 
ability  requirement.  The  latter  is  usually 
more  amenable  to  design  interpretation  and 
measurement,  so  long  as  care  is  exercised 
in  keeping  the  maintainability  requirement 
compatible  with  both  the  reliability  and 
availability  requirements. 

Figure  1-11  illustrates  a  typical 
maintainability  function,  with  two  basic 
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methods  for  defining  the  maintainability 

requirement: 

®  As  a  mean-time-to-restore  require¬ 
ment.  This  definition  does  not  control 
the  distribution  of  repair  times.  The 
definition  is  useful  for  specifying 
maintainability  of  long-life  systems. 

(2)  As  a  probability  of  restoration  within  a 
specified  period  of  repair  time,  tr.  This 
definition  is  useful  for  equipment  to  be 
designed  for  high  maintainability,  em¬ 
ploying  reliability-with-repairor  module 
maintenance  concepts. 


Figure  1-11.  Two  Ways  to  Define  Maintainability 


1-22 


NAVWEPS  00-65-502  1-3-7  to  1-4-1 


EXAMPLE:  An  airborne  communica¬ 
tions  central  is  to  be  developed  to  meet 
an  OPNAV  specified  effectiveness  of 
90%  -  i.e.,  it  must  be  capable  of 
operating  on  demand  9  times  in  10 
throughout  a  5-hour  mission.  Initial 
tradeoff  studies  indicate  a  reliability 
feasibility  of  .92.  Thus,  an  avail¬ 
ability  requirement  of  approximately 
.98  must  be  met  to  satisfy  effective¬ 
ness  requirements. 


1-4  A  REVIEW  OF  THE 


1-4-1.  Present  Avionics  Equipment 

Figure  1-12  is  plotted  after  the  fashior 
of  the  familiar  chart  of  MIL-STD-756A,  show¬ 
ing  several  of  today’s  avionics  equipments 
superimposed  for  a  graphical  portrayal  of 
"where  we  are  today,  on  the  basis  of  yester¬ 
day's  designs ”.  Each  spot  on  the  figure 
represents  several  equipments  of  a  given 
type  observed  over  an  extended  period  in 
the  Fleet.  MTBF  is  measured  as  mean-time- 
between  operator  or  pilot  complaint.  To 
convert  to  MTBF  measured  as  mean-time- 
between  technician-verified  malfunction, 
add  25%  to  the  MTBF  shown  in  the  figure. 

The  figure  also  shows  a  scale  for 
computing  reliability  for  5-hour  missions, 
R(5),  and  for  determining  mission  operating 


From  Figure  1-10,  a  Tr/MTBF  ratio  of 
.02  will  be  required. 

From  the  nomograph  of  Appendix  3,  an 
MTBF  =  60  hours  corresponds  to 
R  =  .92  @  5  hours. 

Then  Tr  =  .02  x  60  =  1.2  hours  should 
be  achieved  if  the  availability  require¬ 
ment  is  to  be  simultaneously  satisfied. 


RELIABILITY  SITUATION 


time  corresponding  to  three  different  reli¬ 
ability  requirements  —  .9,  .95,  and  .99. 

EXAMPLE:  An  avionics  equipment 
(System  "X”)  consists  of  300  AEG’s.5/ 
On  the  average,  the  equipment  will 
demonstrate  10  hours  MTBF.  The 

5- hour  mission  reliability  of  this 
equipment  will  then  be  .6.  The  equip¬ 
ment  also  can  be  predicted  to  dem¬ 
onstrate  a  reliability  of  .9  for  a  1-hour 
mission,  a  reliability  of  .99  for  a 

6- minute  mission.  This  assumes  per¬ 
formance  capability  of  1. 


§/  The  AEG  measure  of  complexity,  discussed  in 
Chapter  2,  is  based  on  the  number  of  transistors, 
electron  tubes,  and  power  diodes  used  in  the 
equipment. 
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FUNCTIONAL  COMPLEXITY  (SERIES  ACTIVE  B.EMENTS) 


Figure  1*12.  Observed  Avionics  Equipment  Reliability  (Analog  Function) 


MEAN-TIME-  BETWEEN- FAILURES  (MTBF)  IN  HOURS 


1-4-1  to  1-4-3 
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Line  A  represents,  on  the  average, 
what  can  be  expected  of  conventional  de¬ 
sign;  Line  B  represents  an  average  of 
several  “specified”  MTBF  requirements 
corresponding  to  those  subsequently“ob- 
served”.  The  difference  between  what  has 
been  “asked  for”  (defined  as  a  requirement) 
and  what  was  actually  delivered  to  the  Fleet 
has  averaged  about  7-to-l;  i.e.,  ask  for  700- 
hour  MTBF  to  get  100  hours. 

F!X AMPLE:  The  specification  for 
equipment  “Y”  called  out  a  require¬ 
ment  for  200  hours  MTBF.  Current 
Fleet  experience  shows  MTBF  =  25 
hours  —  one-eighth  of  the  specified 
requirement. 


needs  for  more  integrated  functions  with  in¬ 
creased  performance,  higher  precision,  and 
faster  response  characteristics.  Increased 
complexity  means  shorter  mean  life,  longer 
repair  times,  reduced  availability,  and  con¬ 
sequently  unacceptable  levels  of  effective¬ 
ness  at  higher  cost.  All  these  parameters 
are  tied  very  closely  to  equipment  complexity 
of  conventional  design,  by  known  factors  — 
based  on  experience  gleaned  from  past 
development  programs.  On  the  basis  of  this 
past  experience,  it  can  be  predicted  with 
confidence  that  a  vast  majority  of  the 
systems  and  equipments  now  going  into  de¬ 
velopment  can  never  achieve  a  satisfactory 
level  of  operational  effectiveness  through 
conventional  design  approaches. 


1-4-2.  Present  Shipboard  Equipment 


This  designers’  dilemma  can  be 
minimized  through  the  following  specific 
steps  taken  early  in  the  equipment  develop¬ 
ment  program: 


Figure  1-12  shows  the  same  type  of 
plot  for  today’s  shipboard  and  shore-based 
systems  —  radar  and  communication.  The 
right-hand  scale  translates  the  MTBF 
measurement  to  a  “probability  of  survival” 
for  a  24-hour  mission  or  prediction  operating 
period. 

E X AMPLE :  System  “Z”  is  a  shipboard 
fire  control  radar  system  made  up  of 
900  transistors  and  electron  tubes. 
Its  mean-time-between-failures  (MTBF) 
observed  in  the  Fleet  is  12  hours.  Its 
reliability  (probability  of  survival 
without  failure)  for  a  24-hour  operating 
period  is  about  .14. 

1-4-3.  Future  Prospects 

New  systems  can  be  expected  to  be¬ 
come  even  more  complex,  to  satisfy  the 


©  Quantitative  definition  of  equipment 
requirements,  determined  early  in  pro¬ 
ject  planning: 

Performance 

Reliability 

Availability  and  Maintainability 


(T)  Realistic  appraisal  of  design  feasibility 
to  satisfy  these  requirements  by  con¬ 
ventional  approach,  within  space/ 
weight  cost  and  time  limitations. 


(T)  Resolution  of  differences  between 
required  and  feasible  attainments  by 
allocation  and  tradeoff,  and  by  program 
planning  to  accommodate  and  support 
the  required  design  approach. 
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Translation  of  the  resolved  require 
ments  into  quantitative 

Development  Specifications 
Demonstration  Test  Requirements 
Acceptance  Test  Criteria 
Program  Monitoring  Milestones 


reasonably  hard  to  satisfy;  yet,  on  the  other 
hand,  he  must  provide  the  motivation, 
guidance,  and  support  required  to  assure 
contractor  progress  and  achievements  that 
will  satisfy  him.  As  related  to  the  pursuit 
and  acquisition  of  reliability  objectives, 
this  implies  that  the  project  engineer  must: 


in  order  to  motivate  and  require  adoption 
of  the  necessary  design  approach  and 
reliability  assurance  measures. 


Recognition  of  the  need  for  R  &  D  in 
specific  areas,  in  support  of  new  design. 


The  TDP,  the  development  specifi¬ 
cation,  theRFQ,  and  the  resultant  contractual 
document  —  all  must  clearly  completely, 
and  accurately  specify  what  is  required,  and 
how  it  will  be  tested  for  compliance. 


•  Know  and  define  the  level  of  reliability 
he  wants; 

•  Reoognize  the  disparity  between  what  he 
wants  and  what  he  will  probably  get 
unless  he  exercises  the  required  degree 
of  “control”  over  the  reliability  growth 
process; 

•  Understand  the  application  of  certain  of 
the  “tools”  available  to  him  by  which 
this  controlled  reliability  growth  can  be 
assured  —  not  merely  promised. 


1-4-4.  Project  Engineering  “MUSTS” 

It  is  always  easier  to  be  critical  of  a 
state-of-being  than  it  is  to  be  helpful  in  the 
improvement  of  that  state-of-being.  The 
Bureau  project  engineer  must  be  both  critical 
and  helpful.  On  the  one  hand,  he  must  be 


The  remaining  chapters  of  this  hand¬ 
book  outline  some  of  the  planning  con¬ 
siderations  and  describe  some  of  the 
procedures  that  can  be  fruitful,  both  in  the 
achievement  of  required  reliability  in  specific 
programs,  and  in  the  “ self-critique/ self- 
help”  control  of  reliability  on  a  program  wide 
basis  throughout  the  system  lifecycle. 
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CHAPTER  2 

TECHNICAL  REQUIREMENTS  ANALYSIS, 
FEASIBILITY  ESTIMATION,  AND  ALLOCATION 

2-1  INTRODUCTION 


2-1-1.  General 

The  first  and  most  important  phase  of 
the  system  life  cycle  is,  logically  enough, 
the  planning  phase,  where  system  require¬ 
ments  are  analyzed  and  translated  into 
well-defined  technical  objectives  and  where 
detailed  plans  are  laid  to  assure  successful 
achievement  of  these  objectives  -  in  short, 
the  success  of  the  entire  system  development 
program  hinges  on  how  well  the  project 
engineer  does  his  job  before  the  first  de¬ 
velopment  contract  is  awarded. 

The  system  or  equipment  to  be  de¬ 
veloped  is  usually  part  of  a  larger  system 
complex  for  which  tactical  requirements  have 
been  defined  by  CNO  through  a  “Specific 
Operational  Requirement”,  or  SOR.d-/  The 
SOR  constitutes  a  directive  to  the  responsible 
bureau  for  the  preparation  of  a  “Technical 
Development  Plan”  (TDP)  to  accomplish  the 
CNO  objectives  expressed  by  that  SOR.  It 
ultimately  becomes  the  task  of  a  project 
engineer  to  translate  the  objectives  of  the 
SOR  into  a  detailed  technical  description  of 
the  system  to  be  developed.  The  description 

1/An  SOR  “will  state  a  need  for  a  capability,  will 
outline  a  system  or  major  component  tor  achieving 
it,  andwill  state  the  reasons  for  the  requirement.”— 

OPNAVINST  3910.6 


obviously  must  be  expressed  in  quantitative 
terms  that  are  amenable  to  control  by  pre¬ 
diction  and  measurement  during  the  design 
and  development  phases. 

In  general,  there  are  three  closely  re¬ 
lated  analyses  to  be  made  by  the  project 
engineer  in  order  to  generate  the  essential 
descriptive  information  needed  for  the 
preparation  of  technical  development  plans, 
design  specifications,  requests  for  proposals, 
and  contractual  task  statements.  These  are: 


(1)  Analysis  and  definition  of  the  operation¬ 
al  requirements  —  performance,  reli¬ 
ability,  and  maintainability  —  required 
for  the  desired  level  of  system  “effec¬ 
tiveness”. 

(2)  Estimation  of  the  feasibility  of  achieving 
these  requirements  by  conventional  de¬ 
sign,  in  order  to  assess  the  practical 
difficulty  of  the  development  job. 

(3)  Initial  allocation  of  requirements  and 
supporting  R  &  D  effort  among  sub¬ 
systems,  according  to  an  equitable 
method  of  apportionment. 
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2-1-1  to  2-2-1 

The  procedures  outlined  in  this  section 
are  intended  primarily  to  assist  the  project 
engineer  in  the  analysis  of  system  reliability 
requirements,  although  stress  is  also  placed 
on  maintainability  and  performance  require¬ 
ments  since  all  three  are  equally  vital  to 
operational  effectiveness  of  the  system.  The 
procedures  are  in  general  accord  with  BuWeps 
policies  expressed  or  implied  in  the  following 
applicable  documents: 

BUWEPINST  39 10. 2 A 

“Instructions  for  Preparing  Technical 
Development  Plans  (TDP’s)" 


MIL-STD-756A 

“Reliability  Prediction" 

WR-30 

“Integrated  Maintenance  Management 
for  Aeronautical  Weapons,  Weapon 
Systems,  and  Related  Equipment" 

WS-3250 

“General  Specification  for  Reliability" 
MIL-R-22256 

“Reliability  Requirements  for  Design 
of  Electronic  Equipment  or  Systems" 


2-2  DEFINITION  OF  SYSTEM  OPERATIONAL  REQUIREMENTS 


2-2-1.  General 

Every  weapon  system  concept  is  based 
on  a  need  to  fulfill  an  anticipated  operational 
requirement.  The  “effectiveness"  with  which 
the  system  fulfills  this  need  is  the  ultimate 


measure  of  its  tactical  utility  and  its  value 
to  the  Fleet.  System  effectiveness  is  a 
composite  of  three  parameters  —  performance, 
reliability,  and  availability  -  as  depicted  by 
the  block  diagram  of  Figure  2-1. 


Figure  2-1.  System  Effectiveness  Model  for  Specified  Functions 
under  Stated  Conditions 


i 
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The  performance  model  is  the  functional 
or  operational  (schematic)  block  diagram  used 
to  depict  the  functional  relationships  of 
subsystems  and  components  required  to  fulfill 
performance  requirements  of  the  conceptual 
system.  This  diagram  is  used  in  the  definition 
of  interface  characteristics,  transfer  functions, 
and  tolerance  requirements. 

The  reliability  model  reorients  the 
blocks  of  the  functional  model  into  a  series 
parallel  network  to  depict  the  reliability 
relationships  among  subsystems  and  com¬ 
ponents,  for  the  estimation  and  allocation  of 
the  reliability  requirement. 


Describe  mission  profiles  and  duty 
cycles. 


(  4  J  Define  the  operational  effective 
ness  or  ‘‘kill  probability”  require¬ 
ment. 


Define  performance  characteristics 
and  ‘‘failure”  criteria. 


Define  reliability  requirements. 

Define  availability/ maintainability 
requirements. 


The  availability  model  is  an  adaptation 
of  the  reliability  block  diagram  to  reflect 
proposed  maintenance  concepts  and  monitor¬ 
ing  provisions  which  will  permit  the  esti¬ 
mation  of  failure  densities  and  repair  rates. 
These  estimates  are  then  used  as  a  basis 
for  allocating  repairability  requirements  and 
for  estimating  the  maintenance  support  (per¬ 
sonnel,  facilities,  and  spares  provisioning) 
required  to  achieve  specified  availability. 

In  general,  effectiveness  is  the  product 
of  performance,  reliability,  and  availability. 
For  a  specified  level  of  performance,  the 
effectiveness  model  simplifies  to: 

E  =  Reliability  x  Availability,  for  a 
given  level  of  performance 
under  specified  use  conditions 

2-2-2.  Procedural  Steps 

The  following  step-by-step  procedure 
relates  to  the  seven  points  of  Figure  2-1: 

f  1  j  Describe  the  functioned  configu- 

' — *  ration  and  boundaries  of  the 
system. 

(2  j  Describe  the  anticipated  use 
conditions. 


Describe  System  Functions  and 
Boundaries. 


Describe  the  ‘‘total”  system  with  which 
the  new  developmental  system  is  to  become 
integrated.  For  convenience  in  visualizing 
the  functional  makeup  and  interface  boundaries 
applicable  to  the  system,  construct  a  functional 
block  diagram,  indicating  major  operating 
modes  and  performance  functions,  including 
multiple  functions  and  planned  redundancy. 

Figure  2-2  is  an  example  of  a  simplified 
block  diagram  for  a  hypothetical  weapon 
system. 

The  outer  boundary  of  the  figure 
establishes  the  points  of  contact  and  the 
interfaces  between  the  weapon  system  and 
the  major  system  with  which  it  is  to  become 
integrated.  Within  the  weapon  system 
boundary  the  conceptual  system  is  blocked 
out  by  major  subsystem  required  for  each 
system  performance  function.  For  example: 

Blocks  1  and  2  (control  console  and 
search  radar)  are  required  for 
system  function  A  —  search  and 
detection. 


STEP  1 
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FUNCTION 


A  8  C  0 


Figure  2-2.  Functional  Block  Diagram  of  a  Weapon  System 


Block  1,  with  3  and  4  (computer  and 
fire  control  radar),  is  required 
for  functions  B  and  C  —  target 
tracking  and  missile  guidance. 

Blocks  1  and  3,  with  5  and  6  or  9 
(magazine  and  launcher),  are  re¬ 
quired  for  successful  launch  and 
direction  of  missiles  7  and  8  or 
10  and  11,  to  perform  function 
D  —  target  intercept. 

If  enough  is  known  about  subsystem 
configuration  at  this  point,  the  functional 
diagram  of  Figure  2-2  should  be  expanded  to 


the  extent  that  detailed  information  is  avail¬ 
able.  Block  4,  for  example,  might  be  de¬ 
veloped  as  shown  in  Figure  2-3,  to  indicate 
a  multiple  frequency  concept  to  be  employed 
in  the  track  and  guidance  radar  system. 

In  this  example,  it  is  planned  that  the 
computer  function  will  be  performed  by  an 
existing  computer,  AN/ASQ-XX,  as  indicated 
in  the  figure  by  “GFE”  (i.e.,  government- 
furnished  equipment).  All  GFE  and  CFE 
(contractor-furnished  equipment)  contemplated 
for  use  in  the  new  system  must  be  described  — 
input/output  “interface”  characteristics  as 
well  as  performance  characteristics. 
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2-2-2 


Figure  2-3.  Functional  Block  Diagram  for  a  Typical 
Weapon  Control  System 


The  same  requirement  applies  to  any 
special  component  —  existing  or  in  develop¬ 
ment  —  that  is  an  integral  part  of  the  new 
system  concept.  Assume,  for  example,  that 
the  weapon  control  radar  transmitter  is  based 
on  a  new  broadband  microwave  amplifier 
concept  already  in  development,  although 
not  yet  available  as  a  production  item.  The 
project  engineer  for  the  weapon  system,  now 
acting  in  the  role  of  the  “systems  integration 
engineer”,  must  solicit  from  the  transmitter 


project  engineer  a  complete  description  of 
the  technical  characteristics  and  requirements 
peculiar  to  his  particular  equipment  or 
component  block  in  the  overall  diagram. 
Figure  2-4  presents  a  hypothetical  microwave 
transmitter  block  diagram  to  illustrate  the 
detail  that  might  be  known  at  this  point  in 
the  planning  phase. 

Again,  the  equipment  description  at 
this  level  must  include  a  complete  definition 
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of  “boundaries”,  input/output  interfaces, 
and  actual  transfer  characteristics  to  be 
achieved  by  design.  At  this  level,  it  is 
important  to  describe  both  the  anticipated 
“application  requirement”  for  the  develop¬ 
mental  device  to  be  employed  in  the  system 
and  the  “application  ratings”  for  the  device 
as  recommended  by  its  development  contractor. 

It  is  important  to  point  out  that  the 
actual  equipment  design  is  in  fact  to  be 
optimized  on  the  basis  of  a  mutual  com¬ 


2-2-2 

patibility  between  fulfillment  of  system 
requirements  and  conservative  use  of  the 
developmental  device,  where  the  latter  is  a 
critical  factor  in  the  success  of  the  system 
concept.  For  this  reason,  in  all  instances 
in  which  new  or  unique  components  are  to 
become  integrated  into  the  system  design, 
it  is  necessary  to  go  one  more  step  in  de¬ 
scribing  the  system.  Figure  2-5  summarizes 
a  description  of  recommended  “typical 
application  conditions”  for  the  developmental 
high-power  broadband  microwave  amplifier 
tube  on  which  the  system  concept  is  based. 


Characteristics  and  Conditions 

Units 

Value 

Max 

Norn 

Min 

i 

Saturated  Power  Output 

Watts 

1500 

1200 

1000 

Gain 

DB 

35 

30 

25 

Beam  Current 

MA 

2000 

1800 

1500 

Helix  Voltage 

Volts 

8000 

Peak  Magnetic  Field 

Gausses 

760 

Period 

Inches 

1.000 

Transmission 

Percent 

95 

90 

85 

Wave  Guide  Coupling 

VSWR 

2.5 

Frequency  Range 

MC 

12500 

8000 

Coupler  Insertion  Loss 

DB 

0.1 

Temperature  (Storage) 

°C 

+85 

-62 

Temperature  (Operating)* 

°C 

+55 

Shock,  15  g’s  11  milliseconds 

Cycles 

20 

Vibration,  50  to  500  cps  2  g’s  (1-minute  sweep) 

Cycles 

30 

*Water  cooling. 

Figure  2-5.  Characteristics  and  Typical  Operating 
Conditions  for  a  Critical  Component 


STEP  2  -  ^escr*^)ethe  Anticipated  “Use” 
- -I -  Conditions  for  the  System. 

Describe  the  anticipated  installation 
interfaces,  the  interference  characteristics 
of  adjacent  or  associated  systems,  and  the 
general  physical  environments  and  use  con¬ 


ditions  with  which  the  system  is  to  be  com¬ 
patible  in  its  ultimate  application.  Include 
storage,  handling,  maintenance,  and  check¬ 
out,  as  well  as  operational  conditions.  These 
“exterior”  factors,  depicted  under  three  broad 
general  categories  in  Figure  2-2,  would  in¬ 
clude  but  not  be  limited  to  those  shown  in 
Figure  2-6. 
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lnterhcti  with  Competing  System i 


Description 


Primary  Electrical  Power  Source: 

Terminal  Voltages  and  Tolerances 
Frequency  and  Tolerances 
Phases  and  Connection 
Regulation  (full  load  to  no  load) 

Peak  and  Average  Capacity  (available  to  system) 

Primary  Hydraulic  and  Pneumatic  Power  Source: 

Nominal  Pressure  and  Tolerances 
Peak  and  Average  Capac  ity 

Control  Signal  Sources  (analog  and  digital): 

Frequency  or  Bit  Rate 
Signal  Levels  and  Tolerances 
Impedances 

Vibration  and  Shock  at  Physical  (mounting)  Interfaces: 
Frequencies 
G-levels 
Duration 

Thermal  and  Humidity: 

Heat  Sink  Characteristics  (water  coolants,  etc.) 
Air  Conditioning  Capacity 


115  volts  ±10% 

60  cycles  il% 
3-phase  delta 
2% 

10  kw  +0%,  -10% 


Interactions  with  Support  Systems 


Maintenance  Policy: 

On-Line  Maintenance  Provisions 
Preventive  and  Marginal  Testing  Procedures 
Level  of  Technician  Qualification 

Operating  Policy: 

Procedures 

Qualifications  of  Personnel 

Failure  Dependencies: 

Isolation  Requirements 
Protective  Features,  Inherent 
Fail-Safe  Protection,  Required 


Interference  from  (and  to)  Adjacent  Systems 


Radio  Frequency  Interference  (noise  and  power): 

Frequency  Spectrum 
Modulation  Characteristics 
Radiation  Pattern  and  Power 
Protective  Features,  Inherent 
Isolation  (shielding).  Required 
Radiation  (damage)  Control  Requirements 

Physical  Interference: 

Structural  Shadows  and  Beam  Deformation 
Induced  Vibration,  Shock,  and  Thermal  Environments 


Figure  2-6.  Example  of  System  Use  Condition  Definitions 
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—  Define  Mission  Profiles 

STEP  3  -  Operating  Time,  and  Duty 

Cycles. _ 

Estimate  the  range  of  probable  mission 
lengths  or  engagement  periods  over  which 
the  system  should  be  capable  of  operating, 
following  an  alert.  Calculate  the  operating 
time  or  duty  cycles  of  individual  system 
functions  and  subsystems  for  particular 
(typical)  mission  profiles. 

Continuing  with  the  example  of 
Figure  2-2,  a  hypothetical  mission  profile 
is  illustrated  in  Figure  2-7,  in  which  the 
system  must  be  capable  of  continuous 
operation  in  the  general  surveillance  mode 
and  must  be  capable  of  performing  all 
functions  continuously  throughout  a  3-hour 
engagement  period.  Note  that  launcher 
operation  is  expressed  in  number  of  consecu¬ 
tive  launchings  or  launch  cycles,  and  missiles 
are  divided  among  30-day  storage  time  follow¬ 
ing  system  checkout,  3-hour  launcher  time 


following  prelaunch  checkout,  and  80  sec¬ 
onds  of  flight  time. 


STEP  4  —  Effectiveness  Require- 

_ _ _  ments  for  the  System. 

The  levels  of  performance,  reliability, 
and  availability  required  in  each  of  the 
functions  listed  in  the  previous  step  are 
directly  related  to  the  minimum  level  of 
effectiveness  considered  tactically  accept¬ 
able,  where  effectiveness  is  defined  as  the 
joint  probability  of  being  operationally  ready 
and  capable  of  performing  a  given  function 
when  needed  and  of  surviving  the  period  of 
the  need  without  failure.  This  may  have 
been  defined  by  the  SOR  as  the  required 
“kill  probability”  for  the  system. 

In  the  missile  weapon  system  example, 
assume  an  OPNAV  requirement  for  a  kill 
probability  of  50%  for  an  individual  missile 
launched  at  any  time  against  a  particular 


Mission  or  Mode 

Function 

Level 

Subsystems 

Involved 

Operating  Time,  or 

Probable  Engagement 

Period,  Tm 

Surveillance 

A 

I 

1  and  2 

Continuous,  24  hours* 

Engagement 

Target  Acquisition 
and  Track 

A  and  B 

ALL 

3  and  4 

3  hours 

Missile  Control 
and  Guidance 
Missile  Checkout, 
Load, and  Launch 
Target  Intercept 

Warhead  and  Fuze 

C 

& 

°2 

Same  as  D2  above 

4  and  5 

5  and  6  or  7 

7  or  8,  or 

10  or  11 

3  hours 

60  cycles  in  3  hours 

30-day  storage; 

3  hours  in  “ready”  service; 
80  seconds  flight. 

*2-hour  daily  preventive  maintenance  period  included. 

Figure  2-7.  Example  of  Mission  Profile  and  Related  Operating  Times 
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class  of  target,  within  a  specified  defense 
perimeter  of  the  weapon  system.  This  re¬ 
quirement  implies  that  the  product  of  per¬ 
formance  reliability  and  availability  at  the 
overall  weapon  system  level  must  be  50%. 
For  a  specified  level  of  performance,  effec¬ 
tiveness  might  be  expressed  as 

E.=(R.MA,). 

conditional  on  performance  capability 
=  1.0  at  the  specified  level 

=  (R,Ar)(RwcAwe)(R„A.)(RLAL)(Ew) 

=  70% 

where  (R)  (A)  are  products  of  reliability  and 
availability  for  the  constituent  systems  — 
search  radar,  weapon  control  radar,  missile, 
launcher,  etc.  —  and  Ew  is  the  known  effec¬ 
tiveness  of  the  missile  warhead  (GFE).  Note 
that  these  are  all  “nominal”  values  based 
on  observed  data  or  on  specified  nominal 
design  requirements.  They  are  not  the  lower 
90%  confidence  limits.  The  latter  should  not 
be  multiplied  together  unless  intentionally 
to  produce  a  conservative  estimate  of  Es. 

In  some  cases,  the  system  in  question 
is  to  become  part  of  an  existing  system  -  a 
radar  system  within  an  existing  missile 
weapon  system,  for  example.  In  such  cases, 
it  is  necessary  to  start  with  the  required  kill 
probability  for  the  entire  weapon  system,  and 
then  divide  out  the  known  or  estimated  effec¬ 
tiveness  of  the  other  systems  with  which  the 
new  system  is  to  work. 

In  other  cases,  the  entire  weapon 
system  may  be  a  new  concept  on  which  there 
are  no  past  reliability  and  availability  data 
for  any  of  its  subsystems.  In  such  cases,  it 
is  necessary  to  make  an  arbitrary  allocation 
of  effectiveness  requirements  among  sub¬ 
systems,  based  on  past  experience  with 
similar  systems  of  comparable  function  and 
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complexity.  This  is  permissible  until  design 
studies  disclose  flaws  in  the  extrapolation 
and  appropriately  “update”  the  allocation. 

In  either  case,  allocated  effectiveness 
requirements  of  a  subsystem  are  related  to 
the  balance  of  the  major  system  as  shown  in 
the  following  weapon  control  radar  example. 

Solving  for  Ewc,  the  RwcAwc  product 
for  the  weapon  control  radar  system  yields 


<*W  <R„Am)(RLAL)(Ew)* 

for  a  specified  level  of  performance 

Rwc  is  the  reliability  requirement  for  the 
weapon  control  radar  system  for  the  specified 
mission  period  for  a  specified  level  of  per¬ 
formance.  A  is  the  availability  or 
operational  readiness  requirement  placed  on 
the  radar  system,  expressed  as  the  probability 
that  the  system  will  be  in  an  operational 
status  at  the  specified  level  of  performance, 
when  needed. 

Tentative  effectiveness  allocations  are 
shown  for  the  hypothetical  weapon  control 
system  in  Figure  2-8. 

Assume  that  the  required  radar  ef¬ 
fectiveness  derived  above  is  0.92  for  both 
target  track  and  missile  guidance;  i.e.,  the 
weapon  control  system  must  be  operationally 
ready  to  perform  at  a  selected  level  and  must 
remain  in  operation  at  this  level  throughout 
an  engagement  period,  Tm  =  3  hours,  with  a 
probability  of  0.92. 

The  chart  also  illustrates  the  assign¬ 
ment  of  “allocation”  of  effectiveness  re¬ 
quirements  to  other  system  elements  based 
on  “experience”  or  stated  requirements. 
All  values  are  nominal,  i.e.,  mean  observed 
or  mean  required. 
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Effectiveness 

Mission  or  Mode 

Function 

i 

T 

xm 

Allocation* 

E, 

Basis 

Surveillance 

A 

3  hours 

.96 

Req  (1) 

Target  Track 

B 

3  hours 

.95 

.92 

Req  (1) 

Missile  Guidance 

C 

3  hours 

.97j 

Req  (1) 

Missile  Launch 

Dl 

60  cycles 

.99 

Exp  (2) 

Missile  Ready 

D2 

30  days 

.93 

Exp  (2) 

Missile  on  Launcher 

3  hours 

.95 

E  xp  (2) 

Missile  Flight 

80  seconds 

.98 

Exp  (2) 

Target  Destruction 

Fuze  & 
Warhead 

Same  as  D2 

.92 

Exp  (2) 

*7fEj  = 

.7 

Req  (1) 

(1)  System  requirement  derived  from  SOR. 

(2)  Estimated  on  basis  of  past  experience. 

Figure  2-8.  Example  of  Effectiveness  Allocation  Among  Major  Subsystems 


Define  System  Performance 
_  Requirements  and  System 
“Failure”  by  Operating  Mode. 

Define  system  performance  require¬ 
ments  within  each  of  the  operating  modes  — 
the  minimum  level  of  performance  required 
for  success  in  each  of  the  several  tactical 
situations  described  in  the  SOR.  This  is 
frequently  difficult  because  the  performance 
“envelope”  of  a  typical  system  includes 
many  variables  —  some  independent,  many 
interdependent. 

It  is  usually  sufficient,  however,  to 
treat  the  principal  system  characteristics 
individually  for  an  approximate  solution  in 
the  system  planning  and  preliminary  design 


stages.  V  Figure  2-9  illustrates  a  possible 
graphical  representation  of  the  distribution 
of  one  principal  performance  parameter,  X. 
Discrete  points  on  this  curve  may  correspond 
to  selected  lower  boundaries  of  measurable 
performance  for  particular  mission  profiles  or 
target  classes.  These  lower  boundaries  de¬ 
fine  minimum  acceptable  performance  for 
several  specified  levels. 

These  points  also  establish  the  failure 
definitions  for  the  system  in  each  of  the  per¬ 
formance  levels.  Performance  characteristics 
should  be  tabulated  as  shown  in  Figure  2-10. 

2/Later  on  (in  the  early  design  phase)  the  use  of 
Monte  Carlo  methods  becomes  practical  with  the 
aid  of  a  computer  when  enough  is  known  about  the 
distributional  forms  of  individual  performance  char¬ 
acteristics. 


STEP  5 
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PERFORMANCE  PARA/METER  "X" 

Figure  2-9.  Distribution  of  Performance  Parameter 


System  Function  and 

Units* 

Performance  Characteristic 

- - - - - 

O 

O 

O 


Search  (Radar  Range  for  1  M2  Target) 

°  Transmitter  Power  Output 
Beam  Dimensions 
Receiver  Sensitivity 
Receiver  Signal/Noise  Ratio 

Track  (Range  and  Capacity) 
o 

o 

o 

Guidance  (Range,  Accuracy,  and  Capacity) 
o 
o 
o 

Weapon  Control  and  Direction 
(Automatism,  Manual  Response, 

Storage  Capacity,  Launch  Rate,  etc.) 


o 

o 


Missile  (Range,  Maneuverability) 


%oi 

Design 

Goal 


Performance  Level 
(Lower  Limits) 


1 


60 

(80) 

(80) 

(90) 


II 


80 

(90) 

(90) 

(95) 


III 


90 

(95) 

(95) 

(98) 


•Expressed  as  a  percentage 
of  specified  design  goal 
to  avoid  the  need  for 
“security”  classification. 


Figure  2-10.  Example  of  Multiple-Level  System  Performance  Definition 
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Define  the  Reliability  Require¬ 
ment. 


Construct  a  preliminary  reliability  block 
diagram  from  the  functional  block  diagram  of 
Step  1.  The  reliability  diagram  should  show 
the  series  parallel  relationships  of  subsystems 
required  for  the  performance  of  individual 
system  functions.  Figure  2-11  is  an  example 
applied  to  the  weapon  control  system  of 


Figure  2-2.  Translate  OPNAV  reliability 
requirements  expressed  intheSOR  into  MTBF 
or  probability  of  mission  success  definitions 
depending  upon  the  mission  profile  and  the 
nature  of  the  time  base.  For  example,  re¬ 
liability  of  Block  4,  the  weapon  control  radar 
function,  should  be  expressed  as  a  prob¬ 
ability  of  survival  of  .92  for  a  three-hour 
engagement  period  at  Level  I  (design  goal) 
performance  as  shown  in  Figure  2-12. 


STEP  6 


WEAPON  SYSTEM  BOUNDARY 


f  |  SYSTEM 


Figure  2-11.  Reliobility  Block  Diagram  of  a  Weapon  System 
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Mission 


Surveillance 


Tactical 

Engagement 


Function 

or 

Mode 


A 

3  Hours 

.98 

B  and  C 

3  Hours 

Level  I 

.92 

Level  II 

.96 

Level  III 

.98 

Di 

60  Cycles 

.99 

d2 

30  days 

.94 

3  Hours 

.97 

80  Seconds 

.99 

Fuze 

Same 

& 

as 

.94 

Warhead 

d2 

ill  i 

*Usually  defined  at  the  lower  90%  confidence  level  (see  Appendix  3) 


Figure  2-12.  Definition  of  Reliability  Requirements  for  a  Typical  Weapon  System 


As  in  Step  1,  it  is  important  that 
reliability  diagramming  be  extended  to  the 
level  at  which  planning  information  is  firm. 
Figure  2-13  illustrates  an  expansion  of 
Block  4  of  Figure  2-11  corresponding  to  the 
functional  detail  developed  in  Step  1. 


Reliability  diagrams  should  show  plans 
for  redundancy,  “on-line  maintenance’’,  and 
other  essential  features  of  design  that  are 
prescribed  as  part  of  the  concept.  Figure 
2-14  illustrates  a  reliability  block  diagram 
developed  for  the  transmitter  subsystem.  The 
project  engineer  in  this  case  was  aware  of 


the  potential  reliability  problems  associated 
with  microwave  power  amplifiers.  He  pre¬ 
scribed  a  design  configuration  employing 
partial  redundancy  with  “on-line”  repair 
capability,  to  achieve  the  desired  level  of 
maintainability  and  “reliability-with-repair” 

In  this  example  reliability  requirements 
are  related  to  three  levels  of  performance  as 
shown  in  Figure  2-15,  where  Level  I  is  the 
design  goal  or  “nominal”  power  output  re¬ 
quirement  with  all  five  amplifier  paths 
operational.  Level  III  is  defined  as  “mini¬ 
mum”  acceptable  power  output  with  only 
three  paths  operational. 
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Figure  2-15.  Reliability  Requirements  Related  to  Performance  Levels 
for  the  Partially  Redundant  Case 


Reliability  requirements  that  might  be  de-  in  Figure  2-16  for  each  level  of  performance, 
rived  for  the  Transmitter  Package,  are  shown  Both  nominal  and  minimum  values  are  shown. 


Performance 

Scale 

Power  Output 

Peak  KW 

Rnom.  (3  Hrs  ) 

Rmin.  (3  Hrs  ) 

l 

2000 

.98 

.96 

II 

1600 

.99 

.98 

III 

1200 

.995 

.99 

Figure  2-16.  Reliability  Requirements  for  Microwave  Transmitter  Package 


If  it  is  deduced  that  the  reliability  re¬ 
quirement  dictated  by  an  effectiveness 
requirement  exceeds  the  state-of-art  bench¬ 
mark  for  attainable  reliability,  redundant 
design  techniques  or  “on-line”  maintenance 
provisions  may  be  necessary.  As  a  rule  of 
thumb,  if  the  requirement  exceeds  the 
“benchmark”  by  two-to-one  or  more  (in 


equivalent  exponential  mean  life),  redundancy 
is  indicated. 

This  anticipated  design  requirement 
must  then  be  included  as  part  of  the  system 
description  —  to  guide  program  planning  and 
prospective  design  activities  in  the  study  of 
design  feasibility  and  reliability  allocation. 
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STEP  7 


Define  Availability  and  Main- 
tainability  Requirements. _ 


Previous  definitions  of  reliability  and 
effectiveness  also  establish  the  value  of 
availability  to  be  specified.  From  this,  the 
maintainability  requirement  can  be  defined 
as  shown  in  the  following  equation: 

Availability,  A  = 


1 

1  +  MTR 
MTBF 


where  MTBF  is  the  mean  time-to-failure; 

MTR  is  the  average  time  required  to 


restore  the  system  to  operational 
status  following  a  failure,  or  initia¬ 
tion  of  a  preventive  maintenance 
task. 

Solving  for  maintainability: 

MTR  =(a  - 

A  trade-off  between  reliability  and 
maintainability  may  be  permissible.  This 
should  be  indicated  to  permit  some  degree  of 
design  flexibility  consistent  with  the  effec¬ 
tiveness  requirement.  Such  a  trade-off  is 
illustrated  in  Figure  2-17,  showing  how  an 
effectiveness  requirement  of  .7  can  be 


RELIABILITY 


AVAILABILITY 


Figure  2-17.  Conditional  Effectiveness  Hyperbola,  E,  for  Specified  Levels  of  Reliability 
and  Availability,  Conditional  on  Performance  Capability  =  1.0 
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AVAIUMUTY 


Figure  2-18.  Relationship  between  Availability  and  MTR/MTBF 


satisfied  with  an  infinite  number  of 
availability/reliability  combinations  for  a 
given  level  of  performance. 

The  relationship  between  availability, 
A,  and  the  ratio  MTR/MTBF  is  shown  in 
Figure  2-18. 

EXAMPLE:  A  new  system  is  to  be  de¬ 
veloped  to  satisfy  an  availability  re¬ 


quirement  of  .99.  An  MTR/MTBF  ratio 
of  .01  will  be  necessary  to  satisfy  the 
requirement.  An  MTBF  requirement  of 
100  hours  had  also  been  specified  to 
satisfy  the  reliability  requirement. 
From  this  it  can  be  seen  that  the 
system  must  be  designed  for  a  mean- 
time-to-repair  of  one  hour.  This,  then, 
defines  the  maintainability  requirement 
for  this  particular  combination  of 
effectiveness  parameters. 
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2-3  RELIABILITY  FEASIBILITY  ESTIMATION  AND  ALLOCATION 


2-3-1.  General 

The  preceding  requirements  analysis 
defined  “acceptable”  levels  of  system  re¬ 
liability  and  availability,  to  satisfy  system 
effectiveness  requirements  for  given  levels 
of  performance  anti  modes  of  operation. 

After  an  acceptable  reliability  or 
failure  rate  for  the  system  has  been  assigned, 
it  must  be  apportioned  among  the  various  sub¬ 
systems  as  design  requirements  applicable 
to  responsible  development  contractors.  Con¬ 
currently,  it  is  necessary  to  estimate  the 
feasibility  of  achieving  these  requirements 
by  conventional  design — 

(1)  To  determine  the  extent  of  special  R  &  D 
support  required  in  specific  areas. 

(2)  To  determine  the  advisability  of  a 
reliability/ maintainability  feasibility 
study  prior  to  award  of  a  design  and 
development  contract. 

(3)  To  anticipate  the  probable  tradeoffs  in 
weight,  space,  power,  and  performance 
that  will  be  required  to  achieve  the  re- 
liabi li ty/ avai lability  requirements. 

(4)  To  establish  the  emphasis  for  imple¬ 
mentation  and  operation  of  a  formal  re¬ 
liability  assurance  and  monitoring  pro¬ 
gram. 

(5)  To  more  accurately  predict  development 
costs  and  time  required  before  an  accept¬ 
able  prototype  is  likely  to  be  delivered. 

The  procedures  outlined  in  this  section 
are  equally  applicable  in  design,  development, 
and  product  improvement  phases.  The  pre¬ 
cision  of  estimation,  of  course,  increases  in 
these  latter  phases  as  test  and  field  data 
become  available. 

Both  the  feasibility  estimate  and  the 
allocated  requirement  must  be  based  on  a 


knowledge  of  the  complexity  of  the  product 
under  consideration,  in  order  to  permit  an 
analysis  by  methods  outlined  in  either 
MIL-STD-756A  or  M1L-HDBK-217. 


2-3-2.  Active  Element  Group  Concept 
of  Complexity 

In  the  concept  and  planning  stage, 
specific  hardware  items  usually  have  not 
been  selected  or  conceived  in  detail.  Thus, 
allocation  of  failure  rates  must  be  based  on 
prior  experience  with  similar  items  or 
functions,  although  new  design  philosophies 
and  concepts  must  not  be  penalized  by  being 
restrictive  to  existing  configurations.  This 
consideration  has  led  to  the  “active  element 
groups”  (AEG)  concept  of  system  definition, 
where  the  AEG  is  the  smallest  practical 
functional  building  block  which  could  be 
economically  considered  and  which  would 
not  be  specifically  related  to  existing  con¬ 
figurations.  An  active  element  is  defined  as 
a  device  which  controls  or  converts  energy. 
An  active  element  group  consists  of  one 
active  element  and  a  number  of  passive 
elements  normally  required  to  perform  a 
specific  function.  Examples  of  active 
elements  are  electron  tubes,  relays,  pumps, 
combustion  chambers,  and  rotating  machines. 
A  typical  electronic  AEG  might  consist  of 
an  electron  tube  or  transistor  and  several 
resistors  and  capacitors.  A  typical  relay 
AEG  might  consist  of  the  relay,  its  solenoid, 
and  from  two  to  ten  circuit  contacts. 

Figure  2-19  shows  the  familiar  plot 
based  on  MIL-STD-756A,  in  which  system 
mean-time-between-failure  (MTBF)  is  related 
to  system  complexity,  on  the  basis  of  current 
Fleet  experience  in  airborne  and  shipboard 
installations  of  conventional  non-redundant 
designs,  predominantly  analog  in  function. 
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2-3-3.  Procedural  Steps 

The  following  basic  steps  apply  to  the 
use  of  this  past  experience  in  the  estimation 
of  reliability  feasibility  and  the  allocation  of 
reliability  requirements: 


(l)  Develop  the  Reliability  Block 
Diagram. 


© 

© 


Derive  mathematical  models. 

Estimate  complexity  and  MTBF 
of  the  system. 


© 

© 


Estimate  subsystem  failure  rates. 

Estimate  feasible  MTBF  and  re¬ 
liability. 


Allocate  failure  rate  and  reliability. 

Consider  redundant  configurations. 

Evaluate  feasibility  of  allocated 
requirements. 


Figure  2-20  shows  the  evolution  of  the 
detailed  block  diagram  —  going  from  the 
weapon  system  level  down  to  the  part  level  — 
as  a  function  of  design  evolution. 


Levels  1  and  11  diagrams  are  usually 
producible  from  information  available  in  the 
system  planning  phase  and  are  considered 
adequate  for  preliminary  feasibility  estimation 
and  reliability  allocation. 

The  Level  Ill  diagram  is  usually 
producible  in  the  early  design  proposal  stage. 

The  Level  IV  diagram  is  producible 
after  a  period  of  design  formulation  and 
review  in  which  a  definitive  design  has 
resulted. 

Level  V  represents  the  failure  mode 
diagram  at  the  part  level,  where  it  becomes* 
practicable  to  perform  stress  analyses  and 
failure  mode  studies  on  individual  parts 
within  the  system.  Such  detailed  information 
may  be  available  in  the  early  planning  phase 
on  certain  critical  parts  known  to  be 
essential  to  the  success  of  the  system 
concept. 


Develop  the  Reliability  Block 
Diagram. _ 

It  is  necessary  to  go  within  each  block 
of  the  system  block  diagram  to  develop  a 
reasonable  approximation  of  a  subsystem 
diagram  containing  those  units  required  to 
perform  the  subsystem  function.  To  the 
extent  that  design  information  is  available 
at  this  early  stage  of  system  planning,  it 
may  be  desirable  to  go  further  down  into  the 
system  to  block  diagram  specific  design 
configurations  at  the  subsystem  and  com¬ 
ponent  levels  -  especially  if  planned 
features  of  the  design  concept  include  the 
application  of  redundancy  or  unique  devices 
at  these  lower  levels. 


In  the  development  of  a  block  diagram, 
units  that  are  predominantly  electronic  in 
function  are  classified  and  symbolized  as 
electronic  units,  even  though  mechanical 
elements  may  be  involved  in  the  performance 
of  an  output  function.  Units  that  are  pre¬ 
dominantly  mechanical,  or  otherwise 
essentially  non-electronic  in  nature,  are 
identified  accordingly.  Any  unit  redundancy 
contemplated  at  this  stage  of  system  planning 
should  be  shown,  as  well  as  any  planned 
provisions  for  alternate  mode  capability.  To 
the  extent  practicable,  the  block  diagram 
should  be  constructed  so  that  each  unit  can 
be  assumed  functionally  independent  of  its 
neighboring  unit  so  far  as  its  specific  transfer 
function  is  concerned. 


STEP  1 
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STEP  2  -  Derive  Mathematical  Models. 

The  block  diagram  helps  to  visualize  physical  relationships  and  specific  subsystem 
configurations.  The  mathematical  model  relates  individual  “block”  reliability  to  the  re¬ 
liabilities  of  its  constituent  blocks  or  elements. 

Progressing  from  Level  1  to  Level  V,  f or  example. 

System  Reliability,  Ra  =  Rj  xR2xRJxR1 

where  R.  =  R  xR.xR  xR,  xR 

4  a  d  c  a  e 

Rc  =  R,  x  R.,  [wi-R>)(l.RlliR.>)J[wi.R>1^ 

Ri,=  RxRlRcRr[i-0c2][i-0x2]  [l-QD2]  2 

where 

Q  =  1-R,  e.g.,  Qd  =  1-Rd 
Rd  =  e  for  a  particular  part 
=  +  ^8 

Subscripts  o,  t,  and  s  denote  open,  tolerance, 
and  short  modes  of  failure,  respectively 

The  model  can  be  solved  using  the  simplified  notation  presented  in  2.1.8  of  Appendix  2. 
Applied  to  the  Level  III  diagram  of  Figure  2-20,  for  example,  the  following  notations  are 
appropriate: 

Let  R.  =  a;  R..  =  b;  RUi  =  c;  etc. 

and  ( 1-R .)=  a;  (1-RU)  =  f>;  (1-Rijj)  =  c;  etc. 

Then,  dividing  the  Level  HI  diagram  into  3  groups,  there  is  the  following  tabulation 
for  all  possible  combinations  of  successful  performance: 

Group  1:  R1  =  ab  (a  and  b  required) 

Group  2:  R2  =  cde  +  cde  +  cde  +  cde  +  cde  (either  c  and  d,  or  e,  required) 

Group  3:  R3  =  fgh  +  fgh  +  fgh  +  fgh  (2  of  3  required) 

Combining:  Rin=  Rj  xR2  xR} 
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EXAMPLE:  Reliability  estimates  have  been  derived  for  all  co  m  po  n  en  t  s  of  Sub¬ 
system  c  —  the  guidance  and  control  package  —  of  a  new  surface-to-air  missile  to  be  de¬ 
veloped  for  a  major  weapon  system.  For  a  flight  time  of  80  seconds,  the  following 
component  reliabilities  and  corresponding  UNreliabilities  have  been  estimated. 

Group  1:  a  =  Rj  =  .99  a  =  (1-R.  )  =  .01 

b  =  R.j  =  .98  E  =  (1-Rjj  )  =  .02 

Group  2:  c  =  R...  =  .95  c  =  (1-R...)  =  .05 

d  =  Riv  =  .95  d  =  (1-R.")  =  .05 

e  =  Rv  =.90  e  =  (1-R v  )  =  .10 

Group  3:  f  =  g  =  h  =  Rvi  =.90  f  =  g  =  h  =  (1-Rvi)  =  .10 

Rx  =  ab  =  (.99)  (.98)  =  .97 

R2  =  cde  +  cde  +  c3e  +  cde  +  cde 

=  (.95)  (.95)  (.90)  +  (.95)  (.95)  (.10) 

+  (.95)  (.05)  (.90)  +  (.05)  (.95)  (.90) 

+  (.05)  (.05)  (.90) 

=  .99 

R3  =  fgh  +  fgh  +  fgh  +  fgE  =  (.9)3  +  3  (,9)2  (.1)  =  .97 

Estimated  reliability  feasibility  for  a  guidance  subsystem  of  this  particular  design  con¬ 
figuration  is  then: 

Riu  =  Ri  xR2  x  R3  =  (.97) (.99) (.97)  =  .93 


maybe  small.  Non-electronic  devices  include 
structural  elements,  engines  and  propulsion 
systems,  mechanical  drives  and  linkages, 
and  hydraulic  and  pneumatic  elements. 

As  an  example,  assume  that  Block  4  of 
Figure  2-20  is  the  fire  control  radar  of  a 
weapon  control  system  to  be  developed  for 
airborne  use.  Depending  upon  the  detail  of 
the  available  design  information  and  the  level 
at  which  Block  4  can  be  diagramed,  a  range 
of  probable  system  complexity  might  be 
estimated  at,  say,  between  250  and  500  AEG’s. 


Estimate  the  Complexity  and 
—  RangeofFeasibleFailure  Rates 
for  the  System. 

Functional  complexity  of  predominantly 
electronic  units  can  be  estimated  on  the 
basis  of  electronic  AEG’s  required  to  perform 
the  unit  function.  Non-electronic  elements 
within  an  electronic  unit  can  be  considered 
uniformly  distributed  among  the  electronic 
AEG’s  without  appreciable  error. 
Non-electronic  units,  however,  must  be  ac¬ 
counted  for  separately  even  though  their 
relative  contribution  to  system  unreliability 


2-24 


NAVWEPS  00-65-502 


2-3-3 


ESTIMATE)  RANGE 
OF  COMPLEXITY 


Figure  2-21.  Translation  of  Estimated  Complexity  Range 
to  Probable  Range  of  Reliability  Feasibility 


On  the  basis  of  Level  I  data  drawn  from 
past  experience  with  systems  of  comparable 
function  and  complexity,  a  preliminary 
estimate  of  MTBF  can  be  made  directly  from 
Figure  2-19,  as  shown  in  the  block  below. 


Figure  2-21  illustrates  the  method  by 
which  these  values  of  MTBF  are  derived  from 
Figure  2-19.  They  are  then  translated  to  a 
pair  of  reliability  functions  embracing  the 
feasibility  of  estimate  using  either  Figure  1-7 


Estimated  Range  of  Complexity:  250  to  500  AEG’s 

Probable  Range  of  MTBF  ( 0 j  to  0,)  =  5.5  to  14  hours 

Range  of  Block  Failure  Rate  (1/0)  =  .071  to  .182  failures  per  hour 

Range  of  Reliability  Feasibility 

(Rj  to  R2)  =  .40  to  .70,  for  T  =  5  hours 
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or  the  nomographs  of  Appendix  3.  If  the 
stated  requirement  falls  within  this  range,  it 
can  be  said  to  be  feasible  by  conventional 
design. 

As  the  functional  characteristics  of 
the  system  become  better  defined,  a  more 
precise  count  of  AEG’s  can  be  made.  As¬ 
sume  for  example  that  Block  4  is  to  consist 
of  approximately  250  analog  and  power  AEG’s 
and  approximately  500  digital  AEG’s. 

Prior  experience  has  shown,  for 
failure-rate  estimating  purposes,  that  the 


digital  AEG  is  equivalent  to  about  one- 
tenth  of  an  analog  AEG  -  i.e.,  1  analog 
AEG  =  10  digital  AEG’s.  This  difference  is 
attributable  to  the  fact  that  the  digital  AEG 
is  basically  an  on/off  switching  device  and, 
consequently  is  not  as  susceptible  to  the 
variability  of  parts  characteristics. 

The  equivalent  analog  complexity  of 
Block  4  is  then  estimated  to  be  300  AEG’s. 
Referring  now  to  Figure  2-19  (MIL-STD-756A), 
the  point  estimate  of  system  MTBF  is  12 
hours  and  system  reliability  for  the  5-hour 
mission  is  R(Tm)  =  .66. 


STEP  4 


—  Evaluate  Feasibility  on  Basis  of  Subsystem  Analysis 


If  the  design  concept  is  known  in  sufficient  detail  to  permit  a  Level  II  analysis,  Block 
4  might  be  further  detailed  as  follows: 


Subsystem 

a 

b 

c 

d 

e 


Function 
Power  Supply 

Frequency  Generator/Synch 
Receiver  and  Display  Group 
RF  Unit  (Transmitter/Modulator) 
Antenna  and  Control  Group 


Complexity 
40  Power  AEG’s 
500  Digital  AEG’s 
120  Analog  AEG’s 
40  Power  AEG’s 
50  Analog  AEG’s 


The  AEG  failure-rate  chart  of  Figure  2-22  can  then  be  used  to  estimate  average  failure 
rates  as  a  function  of  series  complexity  within  subsystems,  to  account  for  catastrophic  as 
well  as  tolerance  and  interaction  failures.  However,  the  following  rules  and  assumptions 
apply  to  analyses  made  at  the  subsystem  level: 


(1)  It  is  assumed  that  interactions  among  subsystems  are  negligible  and  that  the  tol¬ 
erance  build-up  due  to  complexity  is  interrupted  at  the  subsystem  boundary.  This 
assumption  introduces  an  error  in  the  system-level  estimate  if  subsystem  estimates 
are  combined  for  the  system  estimate.  The  error  is  “optimistic”  and  is  of  a  mag¬ 
nitude  that  is  proportional  to  the  number  of  subsystems  into  which  the  series  system 
has  been  divided  for  analysis.  The  system-level  error  can  be  rectified,  however,  by 
reconstituting  the  subsystems  into  the  single  series  configuration  for  a  total  AEG 
count  and  system  estimate. 
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Figure  2-22.  AEG  Failure  Rates  for  Reliability  Estimation  When  the  Number 

of  Active  Elements  is  Known 


2-27 


2-3-3 


NAVWEPS  00-65-502 

(2)  While  power  AEG’s  can  be  treated  as  analog  AEG’s  in  the  series  system  case 
because  they  normally  constitute  a  minority  of  the  total  AEG’s,  they  must  be  treated 
separately  in  a  subsystem  analysis  where  some  of  the  subsystems  are  primarily 
power  AEG's.  Experience  has  shown  that  power  AEG’s,  on  the  average,  experience 
a  failure  rate  approximately  two  times  the  failure  rate  for  analog  AEG’s  -  i.e., 
Apower  =  2Xanaiog>  Using  this  rule  of  thumb,  a  power  subsystem  of  a  given  com¬ 
plexity  is  assigned  an  AEG  failure  rate  twice  that  of  an  AEG  in  an  analog  subsystem 
of  the  same  complexity. 

(3)  Digital  AEG’s,  in  a  system  employing  both  analog  and  digital  circuits,  differ  from 
their  analog  counterparts  by  a  factor  of  about  10-to-l  in  their  “equivalent  complex¬ 
ity”  as  measured  by  tUnr  relative  insensitivity  to  characteristic  variability  among 
parts  within  the  circuit  ai»j  their  relative  freedom  from  interaction  problems  —  i.e., 
the  number  of  digital  AEG’s  in  a  subsystem  should  be  divided  by  ten  when  using 
the  analog  AEG  chart  for  failure-rate  estimation. 

The  following  table  is  derived  from  this  chart  for  an  estimate  of  average  “expected” 
failure  rate  per  subsystem,  applying  the  above  rules. 


Subsystem 

AEG 

Complexity 

Failure  Rate 
Per  AEG 

x  10-6 

Per  Subsystem 

a 

40  Power  2/ 

340 

13,600 

b 

500  Digital  i/ 

180 

9,000 

c 

120  Analog 

240 

28,800 

d 

40  Power 

340 

13,600 

e 

50  Analog 

180 

9,000 

Total  Block  4  Failure  Rate 

.  74,000 

2/  Power  AEG’s  have  doable  the  analog  failure  rate. 

1/ln  a  system  employing  both  analog  and  digital 
AEG's,  divide  the  number  of  digital  AEG’s  by  ten 
and  treat  as  analog. 
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STEP  5 


—  Estimate  Feasible  MTBF  and  Reliability  Values  of  the  System 


As  an  example,  overall  reliability  of  the  system  would  be  expected  to  fall  in  the  follow¬ 
ing  range,  on  the  basis  of  the  tabulation  of  Step  4: 


N  =  300  AEG’s  is  the  estimated  complexity 

MTF  Range  =  6  hours  to  30  hours 

Most  Probable  =  12  hours  (Avg) 

Failure  Rate  Range  =  .033  to  .166  failures/hour 


The  three-hour  mission  reliability  is  then  calculated  as  follows: 


Minimum  Likely 

R(3) 

=  e*3/6  =  .61 

Average  Expected 

R(3) 

II 

• 

Ca> 

*— • 

ro 

II 

00 

Maximum  Feasible 

R(3) 

-  e-3/30  _  90 

-  Allocate  Required  Failure  Rates  and  Reliability  Among  Subsystems 

Allocation  of  permissible  failure  rates  among  systems  of  the  major  weapon  system, 
and  among  subsystems  within  systems,  is  made  on  the  assumption  of  equality  of  improvement 
feasibility.  Allocation  is  then  made  by  using  as  proportionality  constants  the  ratios  of 
individual  subsystem  failure  rates  to  total  system  failure  rate.  Thus,  if  a  given  subsystem 
now  contributes  10%  of  the  total  system  failure  rate,  it  is  reasoned  that  it  should  not  be 
permitted  to  exceed  10%  of  the  total  failure  rate  allowable  under  the  new  requirement. 

To  allocate  failure  rates  among  systems,  subsystems,  or  components,  compute  the  ratio 
of  the  smaller  block  failure  rate  to  the  next  larger  block  failure  rate;  e.g.,  inthepreceding 
example,  the  proportionality  constant  for  Subsystem  c  within  System  4  is: 

k  =  =  30,000_x  IQ±  m  3?  _  3?% 

A4  82,000  x  10-6 

Continuing  with  this  example,  assume  the  system  reliability  requirement  for  a  three-hour 
mission  had  been  established  as: 

R4(3)  =  0.90,  corresponding  to  a  system  failure-rate, 

A'4  =  35,300  x  10*  failures  per  hour 

The  maximum  permissible  failure  rate  for  Subsystem  c  is  then: 

Ac  =  kcA  4  =  (-37) (35,300  xl0*6)  =  13,200  x  10*6  failures  per  hour 


STEP  6 
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The  reliability  requirement  to  be  apportioned  to  Subsystem  c  is  then  derived  from: 

Rc(3)  =  e'3A#c  =  e-3  *  l3-200  x  10’6  =  .96 

The  following  table  shows  the  allocation  procedure  applied  to  other  subsystems  within 
System  4: 


Subsystem 


Expected 
Failure  Rate 

Percent 
of  Total 

Allocated 
Failure  Rate 

Reliability 

Allocation 

13,600 

18.38 

6,850 

.98 

9,000 

12.17 

4,200 

.99 

28,800 

38.90 

13,200 

.96 

13,600 

18.38 

6,850 

.98 

9,000 

12.17 

4,200 

.99 

74,000 

100.00 

35,300 

.90 

STEP  7  —  Allocation  Among  Redundant  Configurations 


If  redundant  elements  are  known  to  be  part  of  the  system  concept,  the  above  allocation 
method  must  be  modified  to  account  for  the  planned  redundancy. 

The  following  modification  is  applicable  for  any  type  of  subsystem  and  system  re¬ 
liability  function.  The  only  necessary  statistical  or  probability  assumptions  are  that  failure 
of  any  of  the  subsystems  considered  will  result  in  system  failure  and  that  the  failure  prob¬ 
ability  of  each  subsystem  is  independent  of  all  other  subsystems.  This  will  allow  the  use  of 
the  product  formula  for  system  reliability  upon  which  the  method  is  based. 

The  method  of  allocation  when  redundancy  is  present  in  the  subsystem  follows: 

(1)  Draw  a  reliability  block  diagram  of  the  subsystem  in  question.  Also  construct  an 
equivalent  (functional)  non-redundant  subsystem.  The  equivalent  non-redundant 
subsystem  would  consist  of  the  minimum  number  of  AEG’s  necessary  to  perform 
the  subsystem  function. 
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(2)  Select  the  number  of  hours,  T,  over  which  a  high  system  reliability  is  desired. 
T  would  be  defined  by  the  mission  requirements  or  the  average  time  interval  be¬ 
fore  corrective  maintenance  or  unit  replacement. 

(3)  Using  estimated  base  failure  rates,  evaluate  R(T)  for  both  the  redundant  and 
non-redundant  configurations  described  in  (1)  above. 

(4)  The  failure  rate  factor  for  the  redundant  subsystem  is  estimated  by: 


where 

Af  is  the  estimated  failure  rate  for  the  re¬ 
dundant  subsystem 

Ag  is  the  failure  rate  for  the  equivalent 

non-redundant  subsystem 

R(T)a  is  the  calculated  reliability  at  time  T  of 
the  non-redundant  subsystem  (using  AEG 
failure  rates) 

R(T)r  is  the  calculated  reliability  at  time  T  of 
the  redundant  subsystem  (using  AEG 
failure  rates) 

(5)  Specify  R*(T),  the  desired  system  reliability  at  time  T,  and  compute  the  total 
system  failure  rate, 

Aq  =  2Aj 
i 

where  Aj  is  the  failure  rate  of  the  ith  subsystem. 

(6)  The  allocated  reliability  for  Subsystem  i  is 

Rf  (T)  =  R*(T)AiAo 

(NOTE:  For  non-redundant  subsystems,  the  allocated  failure  rate  is 
_  -LnR*(T)  , 

Aj - —  •) 


(7)  Check  the  allocation. 
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SUBSYSTEM  S3 


SUBSYSTEM  S, 


SUBSYSTEM  Si 


Figure  2-23.  Reliability  Block  Diagram  with  Redundant  Elements 

EXAMPLE:  Assume  the  reliability  block  diagram  of  a  system  is  as  shown  in  Figure  2-23. 

Each  box  represents  a  complex  equipment  made  of  several  AEG’s.  The  failure  rates 
and  the  estimated  mean  lives  are: 


Subsystem 


Failure  Rate  x  10' 


Mean  Life 


Si 

20,000 

50  hours 

S2 

15,000 

67  hours 

c  (a 

3(c 

10,000 

20,000 

100  hours 

50  hours 

(1)  Establish  equivalent  non-redundant  units. 

Sj  and  S2  subsystems  are  non-redundant  with  all  constituent  elements  in 
series.  S3  has  two  parallel  elements  in  series  with  another  element.  Since  only 
one  of  the  two  parallel  elements  is  necessary  for  performing  the  system  function, 
we  have  S3,  as  shown  in  Figure  2-24. 

Figure  2-24.  Equivalent  Non-Redundant  Unit 
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(2)  Determine  critical  time  period. 

Assume  corrective  maintenance  is  performed  every  50  hours;  hence,  T  =  50. 

(3)  Compute R(T)sfornon-redundant  units  and  R(T)r  for  redundant  units  at  T  =  50  hours. 
N on-R  edundant  Unit: 

R(T)s  =  R(T)axR(T)c 

=  e-T/ioo  *  e-T/so 

=  .606  x. 368  =  .223 

Redundant  Unit: 

R(T)  =  R(T)  x  R(T)  [2  -  R(T)  ] 

i  a  c  c 

=  .606  x  .368  [2  -  .3681  =  .364 

(4)  Compute  base  failure  rate  factor  for  redundant  unit,  with 

Ag  =  (10,000  +  20,000)  x  10-6  =  30,000  x  10’6 

R(T)s  =  .223 
R(T)r  =  .364 

Then, 


=  18,300  x  10*6 

(5)  Convert  desired  reliability  to  total  system  failure  rate. 

Assume  that  at  50  hours,  the  reliability  requirement  is  specified  to  be  .75. 
Hence,  R*(T)  =  .75. 

=  20,000  x  10-6 

A2  =  15,000  x  io-6 
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a3  =  18,300  x  10*6 

A  =  2  A.  =  53,300  x  10-6 

0  i  1 

(6)  Allocate  reliability. 

R?(T)  =  R*(T)VAo 

R*(50)  =  (.75)200/533  =  .897 
R*(50)  =  (.75)1S0/S33  =  .922 
R*(50)  =  (.75)183/533  =  .906 

(7)  Check  allocation. 

R*(50)  R*(50)  R*(50)  =  .7493 

The  allocated  system  failure  rates  for  non-redundant  Subsystems  1  and  2  are: 
A*  =  rkn  ^.897  =  2150  x  10*6 

A*  =  -kn  -92.?.  =  1620  x  10*6 

2  50 


Evaluate  the  Feasibility  of  the 
Allocated  Requirement _ 


In  Step  2  the  expected  failure  rate  for 
the  proposed  new  system  was  determined  on 
the  basis  of  a  conventional  design  con¬ 
figuration,  represented  as  a  series  string  of 
functional  subsystems;  each  subsystem  in 
turn  comprised  a  series  of  AEG’s.  This 
expected  failure  rate  also  assumed  normal 
design  care  and  attention  to  tolerances  and 
ratings. 

In  Step  5  the  “permissible”  system 
failure  rate  —  permitted  by  the  reliability 
requirement  —  was  distributed  proportionately 


among  the  subsystems  within  the  proposed 
new  system.  This  allocation  procedure  as¬ 
sumed  a  uniformity  among  AEG’s  of  given 
class  that  does  not  actually  obtain  in  practice. 
Thus,  our  allocation  at  this  point  can  be 
considered  only  as  a  tentative  one  —  for  use 
only  as  an  initial  basis  for  specification  of 
reliability  requirements  at  the  system  and 
subsystem  levels.  This  allocation  must 
therefore  be  reviewed  and  adjusted  early  in 
the  design  phase,  as  soon  as  the  detail  de¬ 
sign  study  discloses  the  discrepancies 
between  allocated  improvement  and  improve¬ 
ment  feasibility .  It  may  turn  out,  for  example, 
that  a  ten-to-one  reduction  in  failure  rate  of 
one  unit  is  entirely  feasible,  whereas  a 
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two-to-one  reduction  in  another  unit  would 
be  beyond  state-of-art  capability  for  some 
time  to  come.  The  reallocation  of  reliability 
requirements  must  therefore  ultimately  con¬ 
sider  improvement  feasibility  within  the 
constraints  of  available  time  and  funds. 


2-3-4.  Classification  of  Feasibility  Levels 

For  purposes  of  preliminary  feasibility 
estimation  by  “rule  of  thumb”,  reliability 
feasibility  can  be  classified  according  to 
practicality  of  failure-rate  reduction: 

Feasibility  Level  A  - 

“Practically”  Feasible: 

The  reliability  requirement 
dictates  an  average  reduction  in 
failure  rate  (or  failure  probability) 
of  less  than  two-to-one  below 
that  “expected”  by  conventional 
design  (as  determined  inStep  2). 
In  this  case,  the  amount  of  re¬ 
liability  improvement  required  is 
generally  achievable  by  con¬ 
ventional  design,  if  the  design 
is  guided  by  an  effective  re¬ 
liability  evaluation  and  demon¬ 
stration  test  program. 

Feasibility  Level  B  - 

“Conditionally”  Feasible 

The  reliability  requirement 
dictates  an  average  reduction  in 
failure  rate  (or  failure  prob¬ 
ability)  of  between  three-  and 
ten-to-one,  over  an  operating 
period  not  exceeding  the  “ex¬ 
pected”  mean  life  determined  in 
Step  2.  In  this  case  the  reliability 
requirement  is  feasible  con¬ 
ditional  on  the  application  of 
redundancy  at  critical  points  in 
the  system,  and  on  the  imple¬ 


mentation  of  an  effective  re¬ 
liability  evaluation  and  demon¬ 
stration  test  program  to  guide  the 
application  and  prove  the 
practicality  of  these  techniques. 

Feasibility  Level  C  — 

“Remotely”  Feasible: 

The  reliability  requirement 
dictates  a  reduction  in  failure 
rate  (or  failure  probability)  of 
one  or  two  orders  of  magnitude 
below  that  “expected”  over  a 
period  of  operating  time  exceed¬ 
ing  the  “expected”  mean  life 
of  Step  2.  In  this  case  the  re¬ 
quirement  may  become  real¬ 
istically  feasible  only  after  an 
intensive  program  of  basic  and 
applied  research,  based  on  the 
findings  of  a  detailed  feasibility 
study. 

Depending  on  the  level  of  feasibility 
in  which  the  tentative  requirement  falls,  the 
following  decisions  are  indicated: 

•  If  the  reliability  requirement  is  of  Level  A 
feasibility,  stand  “pat”;  i.e.,  specify  the 
requirement  as  a  firm  design  requirement. 

•  If  the  requirement  is  of  Level  B  feasibil¬ 
ity,  stand  pat  to  the  extent  that  weight 
end  space  factors  will  permit  the  appli¬ 
cation  of  redundancy;  i.e.,  specify  the 
requirement  as  a  firm  design  requirement, 
but  be  prepared  to  trade  weight  and  space. 

•  If  the  requirement  appears  to  be  of  Level 
C  feasibility  yet  is  a  tactically  realistic 
requirement,  specify  the  requirement  as  a 
design  objective  in  a  formal  design  fea¬ 
sibility  study  to  determine  the  areas  of 
research  and  development  to  be  sponsored 
in  support  of  the  system  development 
program. 
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2-4  ESTIMATION  OF  MAINTAINABILITY 
AND  AVAILABILITY  IN  THE  DESIGN  PHASE 


2-4-1.  General 

The  availability  of  a  weapon  system  is 
determined  principally  by  its  maintainability- 
the  ease  with  which  it  can  be  kept  ready  to 
respond  to  the  tactical  need  when  needed. 
The  requirement  for  maintainability  (estab¬ 
lished  initially  in  the  requirements  analysis 
phase)  must  be  periodically  re-assessed  as 
design  progresses,  on  the  basisof  a  practical 
analysis  of  the  inherent  “repairability” 
characteristic  of  the  design.  Availability  is 
dependent  upon  the  probability  of  system 
repair  and  return  to  operational  status,  i.e., 
the  probability  that  the  system  can  be  re¬ 
stored  to  operational  status  within  a  pre¬ 
scribed  period  of  “downtime”  for  repair 
or  preventive  maintenance. 


As  weapon  systems  become  more  com¬ 
plex,  the  opportunity  for  failure  increases  as 
Nk,  where  N  is  a  measure  of  complexity  ex¬ 
pressed  in  active  elements,  and  k  =  1.4  is  the 
value  of  the  exponent  in  shipboard  analog 
devices  (k  =  1.3  in  airborne  analog,  and 
approximately  1.1  in  most  digital  appli¬ 
cations).  As  the  frequency  of  failure  in¬ 
creases,  so  does  the  distribution  of  failure 
causes.  Thus  the  maintenance  problem  can 
.be-  related  to  system  complexity,  for  feasi¬ 
bility  estimation  purposes. 

2-4-2.  Procedural  Steps 

The  following  procedures  are  useful  for 
the  estimation  of  maintainability,  and  hence 
system  availability,  as  a  feature  of  design. 


STEP  1 


-  Develop  the  Maintainability-Availability  Model 


The  basic  maintainability-availability  model  is  derived  from  the  following  relationships 
between  system  "uptime”  and  “downtime”: 


Availability  =  - — - - Uptime —  - - - 

Uptime  +  Maintenance  Downtime 

_  _ (Mean-time-between-failures) _ 

(Mean-time-between-failures)  +  (Mean-time-to-restore) 


=  MTBF  _  1 

MTBF  +  MTR  1  +  MTR 

MTBF 

From  this  relationship,  maximum  permissible  average  unscheduled  maintenance  down¬ 
time  can  be  derived  as  a  function  of  the  specified  availability  requirement,  i.e.: 


MTR  {x.  - 

where  A*  and  MTBF*  denote  availability  and  reliability  requirement 
tentatively  specified  in  the  requirements  analysis  phase,  and 
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MTR  is  the  average  time  required  to  detect  and  isolate  a  malfunction, 
effect  repair,  and  restore  the  system  to  a  satisfactory  level  of  per¬ 
formance.  MTR  can  be  similarly  adjusted  to  include  a  permissible 
period  of  downtime  for  preventive  maintenance  when  the  definition  of 
availability  includes  the  PM  period.  See  Appendix  4  for  more  de¬ 
tailed  treatment  of  maintainability  in  redundant  designs. 


STEP  2 


Estimate  Feasibility  by 
“Conventional"  Design 


A  maintainability  model  of  conventional 
design  provides  the  basis  for  estimating  “ex¬ 
pected"  or  feasible  values  if  the  new  concept 
follows  the  design  approach  used  in  pre¬ 
decessor  systems  —  before  the  advent  of 
redundancy  and  reliability-with-repair  con¬ 
cepts. 


Figure  2-25  is  a  maintainability  esti¬ 
mating  chart  for  a  conventional  design  con¬ 
sisting  of  series  AEG’s  with  no  special 
maintenance  provisions.  The  maintainability 
“benchmark”  or  “expected  value”  of  mean- 
time-to-repair  for  the  conceptual  system  can 
be  estimated  from  the  chart  if  conventional 
design  is  to  be  employed. 

EXAMPLE :  A  shipboard  fire  control 
system  is  to  be  developed.  On  the 
basis  of  past  experience  with  con¬ 
ventional  designs,  the  following  “ex¬ 
pected”  parameters  are  derived: 

Ns  =  500  AEG’s  (Estimated) 

MTBF  =  40  hours  (Derived  from 
midpoint  of  MTBF 
band  of  Figure  2-18) 

MTR  =  12  hours  (Derived  from 
midpoint  of  MTR 
band  of  Figure  2-18) 

A  =  1  =  _J _ 

B  1 +J2  1+0.3 

40 


Thus  the  system  would  be  expected  to 
be  ready  to  operate  77%  of  the  time 
when  needed.  This  is  the  availability 
“benchmark”  for  the  system  based  on 
a  conventional  design  approach.  By 
going  to  the  top  of  the  MTBF  band  and 
the  lower  edge  of  the  MTR  band,  a 
maximum  feasible  estimate  can  be  de¬ 
rived  for  conventional  design: 

MTBF  (max)  =  80  hours 
MTR  (min)  =  8  hours 

Availability  (max)  =  .9 


STEP  3 


Estimation  of  Maintainability 
-  Feasibility  by  Analysis  of  the 
Design  Concept 


Availability  feasibility  of  the  con¬ 
ceptual  design  can  be  determined  analytically 
for  specific  repair  actions.  The  system  de¬ 
sign  concept  is  analyzed,  subsystem  by 
subsystem,  to  assess  the  following  factors: 

•  complexity; 

•  design  features  for  failure  indication, 
switching  of  redundant  units,  etc.; 

•  failure  rate  and  mean  life; 

•  mean-time-to-repair  (assuming  waiting 
time  =  zero); 

•  mean-waiting-time. 


2-37 


2-4-2 


NAVWEPS  00-65-502 


Figure  2-26  illustrates  the  consideration 
of  these  parameters  and  design  features. 

In  this  example,  Units  1  and  2  are 
modularized  for  quick  replacement  as  in¬ 
dicated  by  (d).  Unit  1  is  backed  up  by  a 
standby,  Unit  1,'  which  can  be  switched  into 
service  when  scheduled  monitoring  at  test 
point  (a)  indicates  marginal  performance. 
Unit  2  has  been  designed  with  failure  in¬ 
dicator  monitor  2m  for  local  indication  of  the 
discrepant  unit  in  the  event  of  subsystem 
failure. 

Unit  3  consists  of  all  the  nonreplace- 
able  AEG’s  —  i.e.,  all  AEG’s  whose  failure 
would  require  removal  of  the  subsystem  from 
service  for  repair  or  adjustment.  These  should 
be  the  inherently  low  failure-rate  elements. 

Unit  4  consists  of  three  elements  con¬ 
sidered  integral  to  the  physical  configuration 
of  the  subsystem,  failure  of  which  would  re¬ 


quire  replacement  of  the  subsystem  as  a 
whole.  These  are  the  structural  and 
mechanical  features  of  the  packaging  design. 


The  estimation  procedure  is  as  follows: 


©Estimate  the  complexity  and 
mean  life  of  each  of  the  units  in 
the  subsystem. 

f  2  j  Estimate  the  mean  time  required 
^ — '  to  repair,  replace,  or  switch  units 

in  the  event  of  failure. 


Compute  the  ratio  of  MTR/MTBF 
for  each  of  the  units,  and  add,  to 
obtain  an  estimate  for  the  sub¬ 
system. 

Solve  for  availability  and  compare 
with  the  requirement. 


id)  (e) 


"V - 

(a)  (b)  (c) 


Figure  2-26.  Block  Diagram  Reflecting 
Design  Features  for  Maintainability 
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EXAMPLE:  Assume  the  subsystem  of  Figure  2-26  indicates  an  “expected”  mean- 
time-to-repair,  MTR  =  8  hours,  on  the  basis  of  200  series  AEG’s;  MTBF  =  120  hours; 
current  availability  =  .93.  One  of  the  purposes  of  the  conceptual  design  is  to  reduce 
the  maintenance  time  and  the  subsystem  UN  avail  ability  by  a  factor  of  ten  or  more. 
Determine  the  feasibility  of  the  design  concept  as  diagramed  in  the  figure  to  achieve 
this  objective: 

Complexity  and  mean  life  by  unit: 


© 

© 


Unit  1 

50  AEG’s  Power 

50  hours 

Unit  2 

50  AEG’s  Analog 

100  hours 

Unit  3 

100  AEG’s  Digital 

1,000  hours 

Unit  4 

(mechanical)  10,000  hours 

Mean-time-to-repair: 

Unit  1 

(Sense  &  Switch) 

.1  hour 

Unit  2 

(Remove  &  Replace) 

.2  hour 

Unit  3 

(Isolate  &  Repair) 

1.0  hour* 

Unit  4 

(Remove,  Repair,  &  Reinstall) 

20.0  hours* 

^Includes  estimated  waiting  time  for  spare  parts. 

MTR/MTBF  ratios: 

Unit  1 

.1/50 

.002 

Unit  2 

.2/100 

.002 

Unit  3 

1.0/1000  = 

.001 

Unit  4 

20.0/10000  = 

.002 

Total  Subsystem  MTR/MTBF 
Predicted  subsystem  availability: 

A  =  1  +!o07  =  ’"3 


.007 


The  reduction  in  subsystem  UNavailability  as  a  result  of  th* 
new  design  concept  is  calculated  as  follows: 

Improvement  =  }  -  ^expected) 

1  -  A(predicted) 


_  1  -  .93  _  .07 
1  -  .993  U07 


10-to-l 


The  foregoing  example  illustrates  the  importance  of  considering  the  design  aspects  of 
maintainability  during  the  early  system  planning  phase. 
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Evaluate  Effects  of  Duty  Cycle  Figure  2-27  illustrates  a  case  for  a  particular 
on  Subsystem  Availability  equipment  in  a  missile  weapon  system. 

It  is  usually  permissible  to  assume  a  EXAMPLE:  The  launcher  of  a  hypo- 

negligible  failure  rate  for  most  system  thetical  weapon  system  has  an  MTBF  = 

elements  while  in  standby,  although  it  is  5  hours  under  continuous  operation, 

acknowledged  that  deterioration  mechanisms  and  an  MTR  =  10  hours.  Availability 

are  always  at  work  whether  a  system  is  in  an  for  a  100%  duty  cycle  is  given  simply 

operational  state  or  a  standby  state.  When  as: 

this  simplifying  assumption  is  known  to 

produce  serious  errors  in  availability  esti-  \  -  1  _  1 

mation,  it  is  necessary  to  consider  relative  1  +  MTR  j  +  10 

duty  cycles  in  all  modes  of  operational  status  MTBF  5 

in  order  to  more  precisely  account  for  all  the 

factors  which  contribute  to  UNavailability.  =  .33 


OfERADNG  DUTY  CTOI,  D 

D-  OWtATt  TtMg 
CALB40AI  TIME 


Figure  2-27.  Equipment  Availability  as  a  Function  of  Operating  Duty  Cycle 
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If  the  duty  cycle  of  the  launcher  can 
be  estimated  at  D  =  .2  —  i.e.,  will  be 
in  use  approximately  20%  of  the  time 
during  a  normal  tactical  engagement 
period  —  then  availability  would  be 
calculated  as  follows,  taking  account 
of  the  effect  of  duty  cycle  on 
“apparent”  MTBF: 


A  =  A  x  A  =(.87) (.72) 

“  O 

=  .62 

Availability  for  other  duty  cycles  can 
be  derived  directly  from  the  plot. 


1 

1  I  MTR(D) 
MTBF 


1 


.72 


This  assumes  a  launcher  failure  rate 
during  standby  of  zero  —  i.e.,  As  =  0. 

Further  analysis  discloses,  however, 
that  shipboard  environmental  effects 
will  result  in  a  launcher  standby  mean 
life,  MTBFa,  of  50  hours.  The  prob¬ 
ability  that  the  launcher  will  be 
available  after  a  period  of  standby 
time  is  given  by  the  following 
expression: 


8  i  I  MTR(l-D) 

MTBF8 

where  MTR  is  the  same  for  both  standby 
and  operate  failures,  and  (1-D)  is  the 
launcher  standby  duty  cycle  expressed 
in  terms  of  its  operate'  duty  cycle. 

In  this  example,  standby  availability  is 
actually  .87  instead  of  1.0  as  previously 
assumed.  Actual  tactical  availability 
of  the  launcher  for  this  particular  duty 
cycle  is  then  given  by: 


Assess  Effectiveness  Growth 
Potential _ _ 

Values  of  reliability  and  availability 
derived  in  the  preceding  sections  can  now  be 
plotted  as  a  continuous  function  of  time  and 
combined  for  a  time-dependent  estimate  of 
system  effectiveness,  or  “kill  probability”, 
as  illustrated  in  Figure  2-28.  The  figure 
illustrates  the  combination  of  reliability, 
R(t),  with  availability,  A,  to  produce  the 
effectiveness  function  Eft)  =  R(t)  x  A  for  a 
given  level  of  performance  under  specified 
use  conditions. 


Both  the  “benchmark”  effectiveness 
achievable  by  conventional  design  and  the 
predicted  “feasible”  level  of  effectiveness 
achievable  by  the  proposed  new  design  con¬ 
cept  can  be  plotted  for  a  graphical  assess¬ 
ment  of  its  effectiveness  potential.  The 
feasibility  of  a  stated  effectiveness  require¬ 
ment  can  then  be  ascertained  by  observing 
its  relation  to  the  area  bounded  by  the  two 
curves.  This  is  illustrated  in  Figure  2-29. 


At  this  point,  it  may  be  necessary  to 
adjust  the  design  concept  to  satisfy  either  a 
higher  reliability  requirement  or  a  higher 
availability  requirement,  in  order  to  increase 
the  inherent  design  potential  consistent  with 
the  stated  requirement. 
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PROBABILITY  RELIABILITY 


Figure  2-28.  System  Effectiveness  Plotted  as  a  “Time-Dependent"  Characteristic 


EFFECTIVENESS 


Figure  2-29.  Comparison  of  Effectiveness  Potential  of  New  Design  with 
Respect  to  Conventional  Design 
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CHAPTER  3 

RELIABILITY  PROGRAM  REQUIREMENTS, 
PLANNING,  AND  MANAGEMENT  GUIDE 


3-1  INTRODUCTION 


3-1-1.  General 

Program  managers  and  project  engi¬ 
neers  are  charged  with  the  responsibility  for 
delivering  reliable  systems  to  the  Fleet. 
However,  most  programs  today  do  not  pro¬ 
vide  either  reliability  control  or  monitoring 
prior  to  the  evaluation  phase,  at  which  time 
it  is  usually  too  late  to  make  modifications 
for  reliability  improvement,  because: 


The  primary  purposes  of  a  reliability 
program  are: 

•  To  focus  engineering  and  management 
attention  on  the  reliability  requirement; 

•  To  insure  that  reliability  is  treated  as  a 
design  parameter  of  equal  importance  with 
other  performance  parameters;  and 


(1)  The  equipment  is  needed  now  for  tactical 
use  (development  time  has  been  exhaust¬ 
ed);  and 


•  To  alert  management,  throughout  the  pro¬ 
gram,  to  all  reliability  discrepancies 
which  may  require  management  decision. 


(2)  The  money  already  spent  is  too  great  an 
investment  to  be  written  off  because  of 
poor  reliability;  it  is  often  considered 
more  expedient  to  add  funds  in  a  des¬ 
perate  attempt  to  make  a  “product  im¬ 
provement’’. 

This  section  sets  forth  the  essential 
reliability  program  activities  deemed  vital  to 
the  success  of  Bureau  of  Naval  Weapons 
development  programs  in  general.  Emphasis 
is  placed  upon  reliability  program  planning, 
monitoring,  and  management  review  proce¬ 
dures. 


An  adequate  program  must  contribute 
to,  and  guide  in,  the  orderly  and  scientific 
approach  to  “designing-for-reliability”.  It 
must  help  contractors  and  individuals  over¬ 
come  their  lack  of  recognition  that  reliability 
must  be  a  designed-for  parameter,  with  prac¬ 
tical  limitations.  It  must  foster  the  realiza¬ 
tion  that  good  performance  design  no  longer 
has  the  inherent  reliability  to  satisfy  Navy 
requirements.  It  must  change  the  attitude  of 
many  engineers  from  the  negative  “no  one 
designs  for  failures’’  to  the  positive  “we 
must  design  against  failures’’. 
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A  reliability  program  will  not  increase 
the  reliability  of  an  equipment,  but  an  effec¬ 
tively-monitored  program  will  not  permit  an 
inadequate  design  to  proceed  into  develop¬ 
ment,  test,  production,  and  Fleet  use  with¬ 
out  specific  management  approval.  It  is 
this  effective  monitoring  that  will  permit 
project  engineers  to  assess  feasibility  of 
achievement  and  progress  in  time  to  make 
adjustments  equitable  to  all  —  the  user,  the 
contractor,  the  Bureau  of  Naval  Weapons. 

The  concept  of  a  total  reliability  pro¬ 
gram,  as  generally  endorsed  by  DOD,  has 
four  major  points: 


(1)  That  a  quantitative  requirement  be  stated 
in  the  contract  or  design  specifications. 

(2)  That  a  reliability  assurance  program  be 
established  by  the  contractor. 

(3)  That  reliability  progress  be  monitored  or 
audited  by  the  Bureau  of  Naval  Weapons. 


(4)  That  a  reliability  acceptance  test  be 
successfully  passed  prior  to  acceptance. 
This  applies  to  prototype  or  demonstra¬ 
tion  models  prior  to  production  approval, 
and  to  production  samples  prior  to  Fleet 
use. 

This  section  deals  primarily  with  the  con¬ 
tractor  reliability  assurance  program  and  the 
monitoring  and  audit  of  progress  by  Bureau 
personnel. 

3-1-2.  Applicable  Documents 

Bureau  of  Naval  Weapons  project 
personnel  should  contractually  impose  reli¬ 
ability  and  maintainability  program  require¬ 
ments  in  consonance  with  WS-3250,  WR-30, 
MIL-Q-9858A ,  MIL-R-22256  or  other  applic¬ 
able  BuWeps  documents  outlined  in  Chapter  1. 
These  documents,  in  general,  include  those 
minimum  pertinent  contractor  program  activi¬ 
ties  which  have  received  general  acceptance 
and  widespread  industry  application.  These 
are  summarized  in  3-2,  following.  Paragraph 
3-4  discusses  the  implementation  and  moni¬ 
toring  of  such  programs. 


3-2  RECOMMENDED  CONTRACTOR  PROGRAM 


3-2-1.  General 

Of  specific  interest  is  the  Reliability 
Assurance  Program  required  of  the  contractor. 
Those  activities  which  experience  has 
shown  contribute  to  an  orderly  and  scientific 
approach  to  “designing-for-reliability”  are 
briefly  discussed  below. 


3-2-2.  Design  Reviews 

Engineering  design  review  and 
evaluation  procedures  should  include  reli¬ 
ability  as  a  tangible  operational  character¬ 
istic  of  the  equipment,  assembly,  or  circuit 
under  review.  Reliability  considerations  dur¬ 
ing  the  design  reviews  should  include: 
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3-2-2  to  3-2-4 


(a)  Performance  requirements  and  defini¬ 
tions  of  failure  (e.g.,  tolerances,  wear, 
and  parameter  shifts). 

! 

(b)  Environments  to  which  the  device,  item, 
or  circuits  will  be  subjected  in  the  use 
configuration,  including  storage,  trans¬ 
port,  and  production  process  environ¬ 
ments. 

(c)  The  designer’s  reliability  prediction  of 
the  current  design,  supported  by  detailed 
calculations  and  data  sources. 


(c)  Quality  standards  from  incoming  piece- 
part  inspections  through  production  ac¬ 
ceptance  on  the  basis  of  time-dependent 
parameter  variations  occurring  during 
application,  storage,  and  transportation. 

(d)  Calibration  and  tolerance  controls  for 
production  instrumentation  and  tooling. 

(e)  Integration  of  reliability  requirements 
and  acceptance  tests  into  specifications 
for  the  purchase  of  materials  and  parts 
to  be  used  in  production  of  the  system. 


(d)  Evaluation  of  tradeoffs  between  per¬ 
formance,  maintainability,  weight,  space, 
power,  cost,  and  time  factors  made  for 
design  optimization. 

(e)  Failure-mode  analysis  of  the  design. 
Particular  emphasis  should  be  placed 
upon  the  reduction  of  marginal  failure 
modes,  those  which  are  difficult  to  iso¬ 
late  and  repair. 

(f)  Results  of  all  tests  conducted  to  date. 

(g)  Plans  for  reliability  improvement  and 
problem  solutions. 


(f)  Determination  of  failure  modes  related  to 
production  process  and  production  con¬ 
trol  discrepancies  and  evaluation  of 
corrective  action  taken  on  production 
process  discrepancies. 

(g)  Design  and  production  processing  change 
orders  for  compliance  with  reliability 
requirements. 

(h)  Life  tests  of  production  samples  to  veri¬ 
fy  quality  standards  and  inspection 
techniques. 


3-2-3.  Production  Control  and  Monitoring 

Production  Control  and  Monitoring  in 
accordance  with  MIL-Q-9858A  are  required  to 
assure  that  the  reliability  achieved  in  design 
is  maintained  during  production.  Detailed 
consideration  should  be  given  to: 

(a)  Integration  of  reliability  requirements 
into  production  process  and  production 
control  specifications. 

(b)  Production  environments  induced  by 
handling,  transporting,  storage,  proces¬ 
sing,  and  human  factors. 


3-2-4.  Subcontractor  and 

Vendor  Reliability  Control 

Provisions  should  be  established  to 
insure  subcontractor  and  vendor  selection 
and  performance  consistent  with  the  reli¬ 
ability  requirements  of  the  contract. 
Subcontractors  and  vendors  must  look  to  the 
prime  contractor  for  a  clear  definition  of 
reliability  required  in  subcontracted  items. 
Once  these  requirements  have  been  adequate¬ 
ly  defined,  the  prime  contractor  must  extend 
the  scope  of  his  reliability  assurance  pro¬ 
gram  to  the  monitoring  and  control  of  his 
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subcontractors  and  vendors.  Such  monitoring 

and  control  should  include: 

(a)  Incorporation  of  reliability  requirements 
in  subcontractor  and  vendor  procurement 
documents. 

(b)  Provision  for  assessment  of  reliability 
progress,  including  reliability  qualifi¬ 
cation  and  acceptance  testing  of  in¬ 
coming  products. 

(c)  Adequate  liaison  to  insure  compatibility 
among  vendor  products  to  be  integrated 
into  the  end  item. 

(d)  Initial  selection  procedures  for  sub¬ 
contractors  and  vendors  which  consider, 
in  relation  to  the  requirement:  past  per¬ 
formance,  willingness  to  test  and  share 
test  data,  interest  and  response  on  feed¬ 
back  of  deficiency  information,  test 
philosophy,  and  realism  of  cost  and 
delivery  schedules. 


3-2-5.  Reliability  Development  Test  Program 

Reliability  demonstration  tests  are,  in 
general,  statistically-designed  experiments 
in  which  due  consideration  is  given  to  con¬ 
fidence  levels  and  sampling  errors.  Unless 
proof  of  adequacy  can  be  substantiated  by 
other  available  data  acceptable  to  the  pro¬ 
curing  activity,  all  items  of  equipment  of 
higher-order  designations  should  be  tested 
in  order  to  verify  that  reliability  is  achiev¬ 
able  with  the  proposed  design.  If  it  is  not 
achievable,  the  problem  areas  which  prevent 
its  attainment  should  be  isolated  and  defined. 
The  test  program  should  include: 

(1)  Tests  of  questionable  areas  where  reli¬ 
ability  experience  is  not  available, 
particularly  new  concepts  and  materials. 


(2)  Tests  to  determine  the  effects  of  unique 
environments  or  combinations  of  envi¬ 
ronments. 

The  extent  of  the  test  program  is 
determined  by  weighing  the  cost  of  testing 
against  the  degree  of  assurance  required  that 
the  product  will  have  a  given  level  of  reli¬ 
ability. 

In  addition  to  those  tests  performed 
specifically  for  reliability  demonstration 
all  formally  planned  and  documented  tests 
which  are  performed  throughout  the  contract 
period  should  be  evaluated  from  a  reliability 
viewpoint  to  maximize  the  data  return  per 
test  dollar.  Data  which  are  obtained  should 
facilitate: 

(a)  Estimation  of  reliability  on  the  basis  of 
individual  and  accumulated  test  results. 

(b)  Determination  of  performance  variabil¬ 
ities  and  instabilities  that  are  induced 
by  time  and  stress. 

(c)  Evaluation  of  maintenance  accessibility 
and  operator-adjustment  requirements. 


3-2-6.  Reliability  Analyses 

Periodic  analyses  of  reliability 
achievement  should  be  included  as  a  normal 
part  of  technical  progress  evaluations.  These 
analyses  should  be  scheduled  to  coincide 
with  quarterly,  semi-annual,  or  other  techni¬ 
cal  progress  reporting  requirements  estab¬ 
lished  by  the  contract.  These  analyses 
should  consider: 

(a)  Reliability  estimates  based  on  predictions 
and  test  data. 

(b)  The  relationship  between  present  reli¬ 
ability  status  and  scheduled  progress. 
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(c)  The  changes  in  concepts  and  approaches 
that  are  necessary  to  accomplish  the 
contract  objective. 

(d)  The  effects  of  changes  made  in  design 
and  manufacturing  methods  since  the 
previous  analysis. 

(e)  Changes  in  operational  requirements, 
including  environmental  conditions, 
operator  and  maintenance  personnel 
qualifications,  logistic  support  require¬ 
ments,  and  interface  conditions. 

(f)  Criteria  of  success  and  failure,  including 
partial  successes  (degraded  operation) 
and  alternative  modes  of  operation. 

(g)  Production  tolerances  and  techniques, 
including  assembly  test  and  inspection 
criteria  and  test  equipment  accuracies. 

(h)  Specific  problem  areas  and  recommended 
alternative  approaches. 


3-2-7.  Failure  Reporting,  Analysis, 

and  Feedback 

A  formalized  system  for  recording  and 
analyzing  all  failures  should  be  established. 
Analyses  should  be  fed  back  to  engineering, 
management,  and  production  activities  on  a 
timely  basis.  Complete  reporting  provides 
chronological  data  on  operating  times,  on-off 
cycling,  adjustments,  replacements,  and 
repairs  related  to  each  system,  subsystem, 
component,  and  “critical”  part.  Through  the 
analysis  of  these  reports,  reliability  is 
measured  and  improved  on  a  continuing  basis. 
Reports  should  be  complete  and  accurate  in 
recording: 

(a)  System,  subsystem,  component  identifica¬ 
tion. 


3-2-6  to  3-2-8 

(b)  Total  accumulated  operating  time  on 
system  and  component  in  which  failure 
occurred. 

(c)  Performance  behavior  or  malfunction 
symptom  which  accompanied  the  failure. 

(d)  Test  or  “use”  conditions  at  time  of 
failure. 

(e)  ldentification,  classification,  and  appar¬ 
ent  cause  of  failure. 

(f)  Repair  action  taken  to  restore  next  higher 
assembly  to  operational  status. 

(g)  Time  required  for  fault  detection  and 
correction  (maintainability  evaluations). 

(h)  Identification  of  test  activity  or  organi¬ 
zation,  and  the  individual  operator  or 
technician  making  report. 

(i)  Report  serial  number,  date  and  time. 

(j)  Failure-diagnosis  summary  and  recom¬ 
mended  recurrence-control  measures. 

Timely  analysis  of  all  discrepancy  or 
failure  ieports  by  an  analysis  team  formally 
constituted  by  management  determines  the 
basic  or  underlying  causes  of  failure  in  parts, 
materials,  processes,  and  procedures.  The 
analysis  includes  failures  in  design,  manu¬ 
facture,  procurement,  quality  control,  main¬ 
tenance,  and  operation.  Results  of  failure 
analyses  should  be  fed  back  to  design,  pro¬ 
duction,  and  management  personnel  for 
assignment  of  corrective  action  and  follow-up 
responsibilities  as  appropriate. 


3-2-8.  Reliability  Monitoring 

The  contractor  should  establish  a 
monitoring  activity  to  insure  the  adequate 
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development  of  reliability.  The  monitoring 
activity  performs  three  basic  functions: 
analysis  of  reliability  status  relative  to  re¬ 
quirements;  determination  of  corrective  action 
needs;  and  follow-up  on  the  corrective  action. 
Documentation  of  the  reliability-assurance 
and  monitoring  procedures  developed  for 
this  activity,  deluding  checklists  and  in¬ 
structional  material  normally  used  by  the  con¬ 
tractor,  should  be  maintained  in  a  form 
clearly  delineating  the  approach  used  and 
the  results  obtained.  Such  documentation  of 
the  procedures  and  objective  evidence  of 
reliability  conformance  should  be  available 
for  review  by  the  procuring  activity  as  re¬ 
quired.  The  results  of  monitoring  should  be 
made  available  to  responsible  management 
through  the  following  types  of  reports: 


(a)  Reliability-assessment  reports:  Periodic 
objective  assessments  of  reliability 
status  relative  to  contract  requirements 
and  schedules.  These  assessments 
should  be  performed  by  personnel  who 
are  not  directly  responsible  for  the  de¬ 
sign,  development,  or  production  of  the 
procurement  item. 

(b)  Reports  of  major  discrepancies  and  cor¬ 
rective  action  taken:  Methods  for  alert¬ 
ing  contractor  and  procuring  activity 
managements  to  all  major  reliability 
discrepancies  which  may  require  manage¬ 
ment  decisions  with  respect  to  changes 
in  schedules  or  requirements  and  the 
like,  and  methods  for  reporting  the  re¬ 
sults  of  corrective  action. 


3-3  SPECIFICATION  OF  THE  PROGRAM 


The  requirement  for  a  reliability  as¬ 
surance  program  should  be  included  as  a 
subparagraph  of  the  “Requirements”  section 
of  the  design  specifications  or  other  con¬ 
tractual  documents.  This  subparagraph  may 
specify  the  entire  required  program,  or  it  may 


reference  a  standard  document  such  as 
WS-3250,  with  specific  additions  and  de¬ 
letions,  as  necessary.  Coverage,  not 
method,  is  important.  Figure  3-1  lists  those 
requirements  which  should  be  specified. 
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3-3  to  3-4 


Program  Activities: 

—  Design  Reviews 
—  Production  Control 
—  Vendor  Reliability  Control 
—  Development  Test  Program 
—  Reliability  Analyses 
—  Failure  Reporting  and  Analyses 
—  Specific  Activities  or  Tests  Peculiar 
to  a  Given  Class  of  Equipment 

Reliability  Monitoring  Functions: 

—  Independent  Assessments 

(M1L-HDBK-217) 

—  Major  Discrepancy  Reporting 
—  Program  Documentation 


Reliability  Reporting  Requirements: 

—  Coverage  in  Technical  Progress 
Reports 

—  Specific  Reliability  Design  Analysis 
Reports  (MIL-HDBK-217; 
MIL-STD-756A) 

—  Acceptance  Test  Report 

Maintainability  Requirements: 

-  Program  Plan  and  Activities  (WR-30) 
—  Reporting  and  Monitoring  (WS-3099) 

Quality  Assurance: 

—  Specific  QA  Plan  (MIL-Q-9858A) 

—  Progress  Evaluations  by  Procuring 
Activity 

-  Acceptance  Tests  Required 


Figure  3-1.  Reliability  Assurance  Program  Requirements 
(Presently  Reflected  in  WS-3250) 


3-4  PROGRAM  MANAGEMENT  AND  MONITORING 


It  is  one  thing  to  reference  a  specifi¬ 
cation  (or  requirement)  in  procurement  docu¬ 
ments,  and  quite  another  to  determine  “how 
to  comply”  and  “what  is  compliance?” 
Effective  implementation  requires  that  both 
the  Bureau  project  engineer  and  the  contractor 
fulfill  fheir  obligations  and  responsibilities 
in  a  spirit  of  teamwork  toward  the  common 
objective  —  reliable  equipment  in  the  Fleet. 
The  following  sequence  of  steps  is  presented 
as  a  guide  in  this  implementation. 


STEP  1 


Specify  Reliability 
Requirements 


The  project  engineer  should  state  the 
reliability  requirements  in  design  specifi¬ 
cations  or  procurement  documents  (including 
requests  for  proposals.)  Figure  3-2  is  a  check¬ 
list  to  assist  in  preparation  or  review  of 
reliability  specifications. 
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Section  1.  Scope 

•  Clear,  concise  abstract  of  specification  coverage. 

•  Description  of  the  item  (or  items)  in  sufficient  detail  to  preclude  misinterpretation  of  the  ex¬ 
tent  of  coverage  intended  by  the  specification. 

Section  2.  Applicable  Documents 

•  Reference  only  to  those  specifications  and  documents  that  are  referenced  in  the  body  of  the 
specification.  (Additional  references  not  directly  pertinent  tend  to  cloud  the  basic  specifi¬ 
cation  retirements.)  Documents  referenced  must  be  available  in  approved  form  at  time  of 
specification  issue. 

Section  3.  Requirements 

•  Clearly  expressed  quantitative  requirements  which  reflect  minimum  acceptable  operational 
demands. 

•  Definition  of  satisfactory  performance  and  the  dividing  line  between  satisfactory  and  unsatis¬ 
factory  performance  (success  or  failure).  More  than  one  definition  may  be  included  to  cor¬ 
respond  to  different  modes,  functions,  and  degrees  of  failure  in  large,  complex  systems. 

a  The  time  period  of  interest  in  the  form  of  mission  sequence  (or  profile),  duty  cycles,  and  the  like. 

•  Environmental  and  other  use  conditions  under  which  the  system  will  be  expected  to  achieve 
the  quantitative  requirements. 

•  Program  requirements  specifically  applicable  to  the  system  and  phase  of  development  or 
production. 

•  Reference  to  appropriate  general  specifications. 

a  Reporting  requirements  as  a  part  of  total  program  reporting. 

a  Submission  dates  for  special  reports  required  by  general  specifications  and  other  referenced 
documents. 

a  Date  of  submission  of  detailed  acceptance  test  plans  for  approval. 

Section  4.  Quality  Assurance  Provisions 

a  Scheduled  periodic  progress  monitoring  by  the  procuring  activity, 
a  Acceptance  test  plan(s)  outline,  including: 

1.  General  test  or  inspection  conditions,  or  duty  cycles. 

2.  Description  of  item(s)  to  be  accepted  under  the  tests  (if  different  from  the  total  system  as 
defined  under  “Scope”). 

3.  Number  and  sampling  plan  for  selection  of  items  to  be  tested. 

4.  Estimated  test  duration. 

5.  Success  and  failure  criteria  related  to  test  conditions. 

6.  Accept/reject  criteria  of  the  test  plan. 

7.  Statement  of  consumer’s  risk  (a  measure  of  the  adequacy  of  the  test  plan  in  discriminating 
between  acceptable  and  unacceptable  product). 

Section  5.  Preparation  For  Delivery 

•  Disposition  of  test  items. 

Section  6.  Notes 

•  Unique  or  changed  definition  of  terms. 

•  Explanatory  information  as  required  to  aid  in  clarity  of  previous  sections. 


Figure  3-2.  Specification  Checklist 
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3-4 


STEP  2 


Establish  Schedules 


The  project  engineer  should  establish 
schedules  for  reliability  reporting  and 
monitoring. 


•  Reliability  Design  Analysis  Report(s). 
Delivery  dates  for  such  reports  may  be 
specified  on  either  a  calendar  or  a 
program-phase  basis.  It  is  usually 
preferable  to  have  a  report  submitted 
quarterly,  with  each  succeeding  report 
refining  the  analysis. 


•  Acceptance  Test  Plan  -  Submission 
for  Approval.  The  detailed  test  plan 
should  be  submitted  30  to  60  days 
prior  to  test  initiation,  in  order  to 
allow  sufficient  time  for  Bureau  review 
and  approval. 


•  Progress  Evaluation  Schedule.  Pro¬ 
gress  evaluations,  as  visualized  for 
effective  monitoring,  are  made  by  a 
team  of  Bureau  personnel  or  their  in¬ 
dependent  consultants  who  perform  the 
evaluation  by  detailed  personal  review 
at  the  contractor’s  facilities.  These 
reviews  are  best  scheduled  to  cor¬ 
respond  with  major  milestones,  rather 
than  at  fixed  time  intervals. 


STEP  3 


—  Prepare  RFP 


The  project  engineer  should  include 
desired  proposal  coverage  of  reliability  in 
the  Request  for  Proposal.  The  following 
may  be  inserted  in  the  RFP: 

Proposals  responsive  to  this  RFP  shall  con¬ 
tain  the  following: 

1.  Understanding  of  the  requirements. 


within  the  stated  or  implied  limi¬ 
tations  (if  the  bidder  deems  the 
requirement  unrealistic,  that  which 
he  considers  realistic  and 
achievable  should  be  stated). 

3.  Supporting  evidence  for  1  and  2 
above,  including:  reliability  es¬ 
timates  of  the  proposed  concept  and 
approach  ( refer  to  MIL-STD-756A); 
source  and  applicability  of  data; 
experience  of  bidder  with  similar 
programs;  specific  ways  and  means 
of  attainment  (e.g.,  redundancy, 
improved  parts,  or  new  technique s ); 
assumptions  and  non- controllable 
dependencies  upon  which  the 
approach  is  based. 

Jj.  Description  of  the  proposed  Re¬ 
liability  Assurance  Program,  in¬ 
cluding: 

a.  Description  of  proposed  pro¬ 
gram  in  relation  to  overall 
contract  effort. 

b.  Specific  technical  activities, 
where  appropriate. 

c.  Magnitude  of  effort  by  activity. 

d.  Responsibilities  and  author¬ 
ities  within  the  proposed  or¬ 
ganizational  structure  ( includ¬ 
ing  list  of  key  personnel, 
together  with  background  and 
experience). 

e.  Proposed  schedule  of  reliability 
activities. 

f.  Recommended  monitoring 
points  and  major  milestones. 


2.  Proposed  technical  and  manage¬ 
ment  approach  toward  achievement 


g.  Proposed  reliability  develop¬ 
ment  test  program. 
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STEP  4 


Prepare  Proposal 


The  prospective  contractor  should 
prepare  proposal  in  response  to  RFP  and 
the  requirements  of  Step  3.  Specifically, 
the  proposing  contractor  must: 

•  Analyze  the  reliability  requirement  and 
make  a  preliminary  prediction  to  deter¬ 
mine  the  feasibility  of  the  requirement 
for  a  given  time  and  cost.  This  forces 
the  bidder  to  establish  cost,  development 
time,  and  reliability  tradeoffs  as  a  part 
of  his  proposal  effort. 

•  Establish  and  cost  his  reliability  activ¬ 
ities  and  integrate  them  into  the  total 
program.  For  contractors  whose  reliabil¬ 
ity  awareness  is  reflected  in  supporting 
staff  activities,  this  task  is  routine.  For 
contractors  who  previously  have  ignored 
or  have  merely  given  lip  service  to  reli¬ 
ability,  it  can  be  a  difficult  task,  at  times 
requiring  major  reorganizations  within  the 
company.  Contractors  must  firmly  commit 
themselves  to  a  future  course  of  action. 
They  must  give  evidence  of  adequate  ex¬ 
perience,  competence,  facilities,  and  data. 

•  Schedule  in-house  reliability  accomplish¬ 
ments  and  monitoring  which  become  part 
of  the  master  schedule.  Where  a  PERT 
program  is  required,  the  schedule  must 
include  the  intended  accomplishments  of 
significant  reliability  activities. 


design  approach  and  planned  developments 
to  determine  which  assemblies  and  com¬ 
ponents  will  require  test  demonstration. 
This  determination  affects  proposed  devel¬ 
opment  cost  and  time  estimates. 


STEP  5 


Evaluate  Proposals 


The  project  engineer  should  evaluate 
proposals  for  their  response  to  the  previous 
steps.  The  proposals  should  be  evaluated 
in  terms  of  their  applicability  to  the  specific 
task  at  hand.  Although  apparently  well- 
organized,  well-staffed,  and  well-documented 
reliability  organizations  and  procedures  indi¬ 
cate  a  wealth  of  experience,  the  willingness 
of  a  contractor  to  pursue  the  specific  reli¬ 
ability  program  required  by  the  proposal  is  of 
prime  importance. 

The  proposal  review  should  give 
particular  attention  to  the  reliability 
activities  proposed  by  the  contractor  rather 
than  stress  the  contractor’s  organizational 
structure  per  se.  The  reliability  activities 
will  inevitably  reflect  the  policies  and  pro¬ 
cedures  of  management  upon  whom  the  line 
organization  depends  for  effective  guidance, 
support,  and  continuity;  and  in  the  final 
analysis  the  strength  of  the  organization 
will  be  determined  by  its  effectiveness  in 
contributing  to  the  acceptability  of  the  end 
product. 


•  Plan  development  reliability  tests.  The 
proposing  contractor  must  evaluate  the 


Figure  3-3  is  a  guide  for  use  in  evalu 
ating  proposals. 
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Requirements  Analysis: 

•  Is  the  reliability  requirement  treated  as  a  design  parameter? 

•  Has  the  requirement  been  analyzed  in  relation  to  the  proposed  design  approach? 

•  Is  there  a  specific  statement  that  the  requirement  is,  or  is  not,  feasible  within 
the  time  and  costs  quoted?  If  not  feasible,  is  an  alternative  recommended9 

•  Is  there  evidence  in  the  proposal  that  the  reliability  requirement  influenced  the 
cost  and  time  estimates? 

•  Is  an  initial  prediction  included  in  sufficient  detail  (data  souices,  complexity, 
reliability  block  diagram,  etc.)  to  permit  Bureau  evaluation  of  its  realism? 

•  Are  potential  problem  areas  and  unknown  areas  discussed;  or,  if  none  are 
anticipated,  is  this  so  stated? 

•  If  the  requirement  is  beyond  that  which  presently  can  be  achieved  through  con¬ 
ventional  design(MIL-STD-756A),does  the  proposal  describe“how”  and  “where” 
improvements  will  be  accomplished? 

Reliability  Program  and  Monitoring: 

•  Is  the  proposed  program  in  accord  with  the  procurement  request? 

•  If  the  contractor  has  indicated  that  certain  of  the  reliability  activities  requested 
are  not  acceptable  to  him,  has  he  suggested  satisfactory  alternatives? 

•  Is  the  program  specifically  oriented  to  the  anticipated  needs  of  the  proposed 
equipment? 

•  Are  program  activities  defined  in  terms  of  functions  and  accomplishments  re¬ 
lating  to  the  proposed  equipment? 

•  Does  the  proposal  include  planned  assignment  of  responsibilities  for  reliability 
program  accomplishments? 

•  Is  it  clear  by  what  means  the  reliability  program  may  influence  development  of 
the  proposed  equipment? 

•  Have  internal  “independent”  reliability  assessments  been  scheduled? 

•  Does  the  reliability  demonstration  test  program  designate  which  equipments, 
assemblies,  or  components  will  be  tested,  and  to  what  extent? 

Figure  3-3.  Proposal  Evaluation  Guide  (Sheet  1) 
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•  Does  the  proposal  provide  justification  (data  derived  from  testing  or  other  ex¬ 
perience)  for  the  exclusion  of  specified  items  from  demonstration  testing? 

•  Is  the  proposed  documentation  of  activities,  events,  and  analysis  designed  for 
ease  of  monitoring,  ease  of  data  retrieval,  and  us  on  future  programs? 

•  Are  planned  accomplishments  (events)  scheduled  and  included  in  PERT,  if  appli¬ 
cable? 

Acceptance  Testing: 

•  Has  the  bidder  agreed  to  perform  acceptance  tests  and  included  the  costs  and 
time  within  his  proposal? 

•  If  acceptance  test  plans  were  not  included  in  the  request  for  proposal,  has  the 
bidder  recommended  any? 

•  Does  the  proposal  contain  a  positive  statement  concerning  the  bidder’s  liability 
in  the  event  of  rejection  by  the  acceptance  test? 

Background  Organization  and  Experience: 

•  Does  the  bidder  have  documented  reliability  experience  on  previously  developed 
equipments,  components,  etc.? 

•  Does  the  bidder  have  an  established  system  whereby  past  experience  is  made 
available  to  engineers  and  designers? 

•  Does  the  bidder  have  a  designated  group  (or  individual)  to  whom  designers  can 
turn  for  reliability  assistance,  including  part  ratings,  selection,  and  test  design? 

•  Does  the  assignment  of  responsibilities  indicate  that  reliability  is  treated  as  a 
line  function  rather  than  a  staff  function? 

•  Is  overall  responsibility  for  reliability  assurance  vested  in  top  management? 

•  Do  (or  will)  company  standards  manuals  or  other  documents  set  forth  standard 
reliability  operating  procedures? 

•  Does  the  bidder  have  in  being  a  formal  reliability  training  program  for  manage¬ 
ment,  engineering,  and  technical  personnel? 

•  Does  the  bidder  implement  and  conduct  planned  research  programs  in  support  of 
line  activities,  seeking  new  materials,  new  techniques,  or  improved  analytical 
methods? 


Figure  3-3.  Proposal  Evaluation  Guide  (Sheet  2) 
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Review  Contractual 
Documents _ 

project  engineer  should  review 
contractual  documents  prior  to  contract  nego¬ 
tiation.  Changes  in  the  reliability  require¬ 
ments,  the  reliability  program,  or  the  accep¬ 
tance  test  that  are  recommended  in  the 
proposal  submitted  by  the  successful  bidder, 
if  accepted,  must  be  reflected  in  the  design 
specifications,  references,  or  contractual 
documents.  When  the  recommendations  are 
not  accepted,  the  prospective  contractor 
should  be  notified  early  in  the  negotiation 
period  in  order  that  his  cost  and  time  esti¬ 
mates  may  be  adjusted  prior  to  final  nego¬ 
tiation. 


STEP  7  - 


Implement  Reliability 
Program  in  Design 


Both  contractor  and  project  engineer 
should  implement  and  monitor  the  reliability 
program  during  design.  The  contractor  is 


committed  to  perform  in  accordance  with  the 


referenced  specifications  and  items  covered 
in  the  contractual  documents.  (Unless  the 


proposal  is  a  referenced  document  in  the 


contract,  the  contractor  is  not  obligated  by 
its  statements.)  The  project  engineer’s 
primary  avenue  of  monitoring  is  the  review 
of  reports,  as  follows: 


A.  Initial  Technical  Report  —  The  follow¬ 
ing  major  items  of  the  initial  report 
should  be  promptly  reviewed  and 
judged  for  adequacy: 


•  Progressive  reliability  milestones 
and  monitoring  schedule. 

Progress  Reports  —Follow-up  technical 
reports  during  the  design  phase  should 
be  reviewed  for: 

•  Status  of  design  reviews  and 
pertinent  results. 

•  Trade-offs  and  reliability  con¬ 
siderations  in  the  selection  of 
parts,  circuits,  and  configurations. 

•  Reliability  allocations  and  require¬ 
ments  included  in  subcontractor  or 
vendor  supplied  items. 

•  Reliability  predictions: 

(1)  Check  model  consistency  and 
accuracy; 

(2)  Insure  that  all  parts  and  units 
are  included; 

(3)  Insure  that  failure  rate  data 
from  report  to  report  remain 
constant  unless  change  is 
justified  by  data. 

•  Summary  of  test  results. 

•  Summary  of  reliability  problem 
areas  and  planned  solutions 


•  Contractor’s  understanding  and  in¬ 
terpretation  of  the  reliability 
requirements  specified  in  the  con¬ 
tract,  with  a  description  of  the 
engineering  approaches  contem¬ 
plated. 

•  Description  of  the  reliability 
assurance  program  and  monitoring 
procedures  to  be  used  throughout 
the  contract  period. 


•  Adherence  to  reliability  program 
schedule. 

•  Analysis  of  the  effect  that  schedule 
changes,  design  problems,  ana  pro¬ 
curement  delays  will  have  upon  the 
reliability  program. 

•  Status  of  reliability  program 
activities  in  relation  to  the  program 
plan  submitted  in  the  initial  report. 
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C.  Separate  Reliability  Design  AatlyiU 
and  Prediction  Report  -  The  separate 
reliability  design  analysis  and  pre¬ 
diction  report(s)  should  contain  a 
thorough  analysis  of  the  design.  De¬ 
sign  analysis  should  include 

•  Reliability  predictions  in  accord¬ 
ance  with  ML-STD-756A  and 
M1L-HDBK-217. 

•  Comparison  of  present  design  status 
of  the  equipment  with  the  contractual 
requirements. 

•  Analysts  of  failure  modes,  summary 
of  findings,  and  plan  to  design 
changes. 

•  Results  of  tolerance,  stability,  and 
life  tests. 

•  The  effects  of  total  program 
problems  upon  notability  status 
and  achievements. 

•  Actions,  tf  required,  that  are  planned 
in  order  to  improve  the  reliability 
of  the  design 

D.  Progress  Kvtlwiim  -  Effective 
monitoring  requires  periodic  progress 
evaluations  as  one  of  the  Quality 
Assurance  provisions  in  assessing 
reliability  attainment  Progress 
evaluations  wheeled  during  design 
phases  should,  in  general,  verify  that 
the  reliability  assurance  program 
approved  in  the  initial  technical  report 
is  in  fact  being  implemented  and  that 
the  progress  reports  are  complete  and 
factual  with  respect  to  progress  and 
problems  reported  The  overall  effec¬ 
tiveness  of  the  reliability  program  can 
be  partially  assessed  (final  assess¬ 
ment  comes  with  the  acceptance  test 
and  subsequent  Fleet  use)  by  de¬ 


termining  the  degree  lo  which  the 
program  has  influenced  the  following 

(a)  Simplicity  and  conservatism  in 
design. 

(b)  Recurrence  control  of  failures 
and  reduction  in  the  effects  of 
failure. 

(c)  Safety  factors  and  derating 
policy  in  component  and  part 
applications. 

td)  IVmision  for  functional  in¬ 
dependence  among  major  sub¬ 
systems 

(r)  Due  consideration  of  reliability 
in  trade-off  decisions 

(0  Documentation  of  reliability  m 
specifications,  operating  in¬ 
struct  too  a.  and  handbooks. 

Ig)  Reliability  requirements  con¬ 
sidered  in  test  planning  and 
design 

(h)  Analvsi*  and  use  of  data  in 
problem  solving. 

(i>  Dissemination  of  reliability 
techniques  and  training  in 
their  use. 

(j)  Awareness  and  routine  con¬ 
sideration  of  reliability  as  a 
svstcffl  parameter  within  the 
various  personnel  skill  groups. 

R  is  suggested  that  the  moat  efficient 
way  of  conducting  these  progress 
evaluations  is  by  personal  discussions 
with  engineers.  test  technicians, 
specification  writers.  Comparisons 
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Engineers'  predictions  or 
estimates 

Data  feedback  from  tests 


versus 


Published  predictions 

Test  log  and  test  technicians'  observa- 


•  Engineers’ description  of 
design  reviews 

•  Personnel  from  whom  de¬ 
signer  obtains  reliability 
assistance 

•  Actual  company-spon¬ 
sored  reliability  training 
of  technical  personnel 

•  Actual  availability  of 
data  on  standard  parts 
from  past  esperience 

•  Designer's  knowledge  of 
reliability  requirements, 
including  environments 
and  performance  limits 

•  Procurement  personnel's 
considerations  in  vendor 
selection 

•  Part  counts  and  stress 
analysis,  from  working 
drawings 


versus 


VffSUS 


versus 


versus 


versus 


Program  plan:* 


Organizational  struc  ture 


Documented  company  training  program 


Stated  or  implied  availability 


Actual  requirement* 


Program  plan 


Those  presented  in  prediction  report 


Fifura  3-4.  Progress  Evaluation  Guidelines 


such  ss  those  listed  in  Figure  VI 
will  prove  fruitful 


The  project  engineer  an d  evaluation 
teem  should  prepare  a  detailed  report 
on  the  results  of  the  evaluation,  point¬ 
ing  out  sreas  of  compliance  and  pro¬ 


gress  as  well  a*  omission*.  Specifi¬ 
cally,  the  report  should  state  that 
progress  appear*  satisfactory,  or  not. 
in  relation  to  the  time  in  development 
and  the  contractual  requirements.  This 
will  aid  Bureau  management  in  de¬ 
riding  on  the  future  course  of  the 
development  program. 


3-15 


3-4  NAVWEPS  00*65*502 


Implement  Reliability 
Program  in  Development 


Both  contractor  and  project  engineer 
should  implement  and  monitor  the  reliability 
program  during  the  prototype-development 
phase.  Again,  reports  are  the  principal 
monitoring  tool,  as  follows 

A.  Progress  Reports  -  Each  progress 
report  must  update  its  predecessor  in 
each  area  of  coverage.  The  additional 
coverage  that  must  be  reviewed  is  as 
follows 

•  Subject  of  design  changes  to  the 
same  design  reviews  and  reliability 
analyses  as  were  performed  on  the 
original  design,  as  a  prerequisite 
for  incorporation  into  the  product. 

•  Summarized  /vmuIim  of  circuit 
temperature,  vibration,  and  other 
environmental  tests. 

•  Demonstration  test  plans  nod 
results. 


B.  Reliability  Design  Analysis  and  Pie* 
diction  Reports  -  This  series  of 
reports  should  become  successively 
refined  as  the  development  progresses. 
The  major  additional  points  to  review 
are 

a  Completion  of  stress  and  environ¬ 
mental  analysis  of  all  applications. 

a  Confirmation  or  rejection  of  pre¬ 
dicted  results  on  the  basis  of  test 
data. 

C.  Progress  Evaluation  -  Progress 
evaluations  performed  during  the  de¬ 
velopment  period  should  concentrate 

on 

•  Continued  adherence  to  the  program 
pi  a a. 

•  Subcontractor  and  vendor  success 
ib  a*eung  requirements. 

•  Development  test  program. 

•  Review  and  approval  of  data  which 
provide  confidence  in  the  reliability 
of  items  not  tested. 


STEPS 


•  Supporting  date  sod  justification  foe 
reliability  confidence  in  those  items 
not  subjected  to  reliability  demon¬ 
stration  tests  (cases  »n  which  s 
test  waiver  is  requested  should  be 
approved) . 

a  Summaries  of  failure  analysis  and 
major  discrepancies,  and  proposed 
solutions  for  the  latter. 

•  Approach  to  packaging  designs  and 
methods  of  environmental  analysis. 

•  Progress  in  the  procurement  and 
use  of  end-item  parts. 


a  Degree  of  analysis  and  feedback  in 
the  failure-reporting  activity. 

a  Deviations,  waivers,  and  modifi¬ 
cations  of  the  prototype  models 
from  the  design  initially  conceived 
or  still  planned  for  production. 


-  Monitor  Acceptance  Test 


The  project  engineer  should  monitor 
the  reliability  acceptance  test  and  approve 
the  test  report.  The  reliability  acceptance 


STEP  9 
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lest  plan  should  include  the  following  in¬ 
formation: 

•  A  complete  description  of  the  item  or  items 
to  be  submitted  for  acceptance  under  the 
test  requirements. 

•  The  test  conditions  to  be  applied,  includ¬ 
ing  operational  and  environmental  duty 
cycles  and  test  levels. 

•  Number  of  items  to  be  tested. 

•  Estimated  test  duration. 

•  Success  and  failure  criteria. 

•  Accept/reject  criteria  of  the  test  plan. 

•  Consumer's  risk  (a  measure  of  the  ade¬ 
quacy  of  the  test  plan  m  discriminating 
between  acceptable  and  unacceptable 
products). 


(In  comple*  system  development  programs 
where  H  is  not  feasible  to  perform  a  complete 
systems  acceptance  test,  individual  ac¬ 
ceptance  tests  for  various  sublevels  may  be 
specified,  together  with  methods  to  be 
tmployeri  for  synthesis  of  reliability  at  the 
system  level.) 

The  reliability  test  report  should 
summarize  the  test  plan  and  the  procedures 
employed.  It  should  note  any  deviations 
from  the  mitml  planning  document  with  their 
probable  effect  upon  the  test  results,  and  it 
should  include  the  applicable  reliability  re¬ 
quirements.  acceptance  criteria,  test  results, 
and  conclusions. 

If  a  design  is  rejected  bv  the  test,  the 
test  report  should  contain  a  detailed  analysis 
of  failures  and  the  contractor' s  plan  to  over¬ 
come  the  deficiencies  in  the  design. 


Implement  Reliability 
Program  in  Production 

Both  contractor  and  project  engineer 

should  implement  and  monitor  the  reliability 

program  during  production  of  the  equipment. 

Throughout  production,  periodic  progress 

reports  should  be  reviewed  for: 

a  Design  changes,  in  order  to  insure  that 
each  production  engineering  and  design 
change  is  given  the  same  reliability  as¬ 
surance  considerations  and  approvals 
that  the  original  design  received. 

a  Procurement  of  pans  and  assemblies  in 
accordance  wnh  the  appropnaie  reliability 
requirements. 

a  Evidence  that  each  step  in  the  production 
process  has  been  evaluated  for  its  pos¬ 
sible  detrimental  effect  upon  reliability. 

a  Effectiveness  of  production  inspections 
and  collection,  analysis,  and  feedback  of 
lest  data  in  maintaining  design  quality. 

a  Summary  of  qualification,  environmental, 
and  other  teat  data. 

a  Compliance  with  the  production  acceptance 
tests. 


STEP  10 


STEP  1 1 


Monitor  Service  Test 


The  pro|ect  engineer  should  monitor 
the  service  test,  evaluation,  and  Fleet  per¬ 
formance  of  the  delivered  equipment.  The 
life  cycle  is  not  complete  until  the  reliability 
in  the  Fleet  has  been  evaluated  and  the  re¬ 
sults  have  been  recorded,  analyzed,  and  fed 
back  into  new  equipment  programs.  Moni- 
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toring  of  these  phases  in  the  equipment  life 
cycle  is  largely  by  review  of  routine  reports. 
Specifically,  the  following  should  be  reviewed 
and  analyzed: 

•  Reports  by  service  test  and  evaluation 
units,  such  as  the  VX  squadron.  (Where 
some  measure  of  control  can  be  main¬ 
tained,  required  data  should  cover  per¬ 
formance,  operating  time,  unit  and  part 
removals,  and  failure  symptoms.) 


•  Routine  failure  reports  (DD-787's,  EFR’s, 
and  FUR's). 

•  Specific  operating  unit  reports  detailing 
equipment  casualties,  problems,  etc. 

•  Operator  or  pilot  logs,  maintenance  shop 
logs,  and  overhaul  repair  facility  records. 

•  Logistics  and  experience  with  the  issu¬ 
ance  of  spare  parts. 


3-5  RELIABILITY  AND  MAINTAINABILITY  TRAINING 


3-5-1.  General 

The  concepts  of  reliability  and  main¬ 
tainability  in  weapon  system  development 
are  not  new,  r.or  are  they  too  complicated  to 
understand  if  they  are  clearly  and  simply 
described.  Only  a  few  of  the  fundamental 
principles  need  be  understood  by  project 
management  and  engineering  in  oHrr  to  put 
quantitative  measurements  on  these  two 
system  parameters  for  which  they  already 
have  an  intuitive  feel  |l  is  true  that  the 
complexities  of  redundancy,  statistical  test 
design  and  sampling,  and  many  other  aspects 
of  reliability  assessment  are  difficult  to 
understand  They  are  also  difficult  to  teach. 
()n  the  other  hand,  these  same  aspects  usually 
require  the  help  of  a  specialist  anyway,  so 
at  most  a  training  course  for  project  engineers 
need  only  make  them  aware  of  the  methods 
and  appreciative  of  the  need  for  this 
specialized  help  from  other  Bureau  offices 
whose  functions  are  to  provide  such  servires 

The  problem,  then  is  to  prepare  and 
present  a  highly  practical  course  m  the 
fundamentals  of  reliability  and  maintain¬ 
ability,  tailored  to  fit  the  needs  of  individual 
groups  within  the  Bureau.  Thus,  the  course 
must  be  dynamic  in  its  flexibility  and 


adaptability.  It  must  be  well  documented 
with  examples  and  “tools"  of  the  trade. 

3-5-2.  Guidelines 

One  of  the  best  concepts  of  teaching 
follows  the  well-known,  long-established, 
‘  on-the-job"  training  approach  wherein  the 
instructional  material  is  related  to  the 
specific  jobs  for  which  a  particular  group  is 
responsible.  The  following  guidelines  may 
be  helpful  in  planning  the  training  course: 

e  The  rourse  should  be  a  conference- type 
presentation,  with  prepared  notes  and 
figures  distributed  to  students  at 
least  one  week  in  advance. 

•  Maximum  use  should  be  made  of  case 
histones  -  hypothetical,  if  not  real  - 
to  demonstrate  the  application  of  re¬ 
liability  concepts  and  existing  docu¬ 
mentation^  to  specific  areas  of 
responsibility. 


L  Specific  •Hoi  *  «»rt»  •«  MH,-R-229?J  <*rp). 
¥IL-STtV756A.  MIL-HOBR-il?. 


3-18 


NAVWEPS 

•  Course  material  must  be  acceptable  to 
people  with  mixed  backgrounds  -  ad¬ 
ministrative  as  well  as  technical. 
Where  an  understanding  of  technical 
and  mathematical  details  is  vital  for 
the  application  of  a  concept,  these 
details  should  be  covered  in  appendices 
to  the  conference  notes 

•  Scope  of  course  content  should  range 
from  management  practices  to  engineer¬ 
ing  methods,  from  the  conceptual  stage 
of  system  development  through  delivery 
of  hardware  to  the  Fleet. 

•  Depth  of  content  (oral  presentation) 
should  be  ad)usted  to  fit  within  a  total 
of  eight  to  ten  sessions  of  one-and-a- 
half  hours  each. 

3-5-3.  Court*  Out  I  in* 

The  following  suggested  course  outline 
can  be  adapted  to  specific  needs  drawing  on 
appropriate  sections  of  this  handbook. 

•  What  you  should  know  about  basic 
concepts  of  reliability,  availability, 
and  matniatnabiltly  as  measurable 
product  characteristics 

-  How  to  define  these  characteristics 
for  specific  equipments. 

-  How  to  graphically  and  mathe¬ 
matically  “visualize"  these 
characteristics; 

-  How  to  measure  reliability  and 
availability  with  known  confidence. 

•  What  you  should  know  about  specifi¬ 
cations  pertaining  to  reliability  and 
maintainability; 

-  How  to  determine  requirements  for 
parts,  equipments,  systems. 


00-65-502  3*5-2  ,0  3-5-3 

-  How  to  specify  the  requirements; 

-  How  to  specify  tests  for  compliance 
with  given  confidence. 

a  What  you  should  know  about  reliability 
as  an  engineering  function: 

-  How  to  estimate  reliability  feasi¬ 
bility  of  new  design  concepts; 

-  How  to  predict  reliability  achieve¬ 
ment  during  the  design  and  develop¬ 
ment  phase, 

-  How  to  evaluate  the  described 
reliability  problem  areas,  for 
correction  early  in  design. 

•  What  you  should  know  about  reliability 
as  a  reliability-assurance  function: 

-  How  to  '‘control"  reliability; 

-  How  to  demonstrate  reliability 
achievement. 

•  How  to  review  and  develop  specific 
equipment  and  system  program  plans 
and  specification* 

-  Requirements; 

-  Quality  assurance  provisions  for 
reliability  and  maintainability. 

a  How  to  review  development  status  of 
specific  systems 

-  Reliability  assessment. 

-  Problem  areas. 

•  What  you  should  know  about  contractor 
reliability  programs 

-  How  to  evaluate  a  program; 
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-  How  to  specify  program  requirements;  -  Procurement  documentation, 

-  How  to  monitor  contractor  programs  _  Monitoring  and  follow-up. 

for  compliance. 


•  What  you  should  know  about  reliability 
monitoring  and  failure  diagnosis: 

-  In  design,  development,  production, 
and  field  use, 

-  To  assure  earliest  practicable 
correction. 

•  What  specific  steps  you  can  take  to¬ 
day  to  assure  higher  reliability  and 
maintainability  in  systems  for  tomorrow 

-  Requirements  analysis  and  specifi¬ 
cations, 

-  Demonstration  and  acceptance. 


3-5-4.  Planning  Considerations 

The  proposed  outline  should  be  co¬ 
ordinated  with  designated  staff  members  of  a 
particular  branch  in  order  to  more  exactly 
fit  the  needs  of  that  branch  -  to  more  com¬ 
prehensively  satisfy  all  the  needs  within  the 
student  group.  However,  it  is  difficult  to 
achieve  universal  acceptance  without  sacrific¬ 
ing  details  in  certain  restrictive  yet  vitally 
important  areas  of  interest,  and  a  “pi ay-by- 
ear' '  approach  is  the  best  method  for  keeping 
the  course  dynamically  in  tune  to  the  needs 
of  the  group. 
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CHAPTER  4 

DOCUMENTATION  OF  RELIABILITY 
AND  MAINTAINABILITY  REQUIREMENTS 


4-1  INTRODUCTION 


4-1-1.  Pvfpow  and  Scop* 

It  is  now  generally  recognized  that 
early  system  development  plans  are  not 
complete  if  they  do  not  quantitattoely  define 
the  required  characteristics  of  the  product  or 
system  proposed  for  development  While  in 
the  past  the  characteristics  of  a  new  equip¬ 
ment  or  system  have  been  adequate  to  guide 
development  effort  toward  full  realization 
of  performance  requirements,  they  have  not 
been  sufficiently  descriptive  of  the  relia¬ 
bility  and  maintainability  characteristic* 
required  for  system  success  under  Fleet  use 
conditions. 

It  is  also  a  generally  accepted  fact 
that  these  important  “success"  character¬ 
istics  must  be  plemmod  for  and  deaig nod  m  - 
they  cannot  be  Inter  added  to  the  system  ss 
an  afterthought.  One  need  only  to  review 
field  reports  from  present  systems  to  become 
acutely  aware  of  the  disparity  between  what 
was  needed  (but  not  specified)  and  what 
was  delivered  (but  not  wanted) 

This  chapter  of  the  handbook  outlines 
step-by-step  procedures  for  the  definition 
and  documentation  of  reliability  and  main¬ 
tainability  requirements  in  essentia!  planning 
documents,  specifications,  and  contractual 
taak  statements. 


The  problem  is  ooe  of  first  determin¬ 
ing  system  requirements  for  reliability  and 
maintainability  from  the  Specific  Operational 
Requirement  (SOR)  which  constitutes  the 
directive  for  preparation  of  the  Technical 
Development  Plan  (TOP)-*'',  then  defining  the 
requirements,  and  finally  documenting  these 
requirements  in  the  TDP  and  the  design 
specification,  in  order  to  give  the  system 
coocept  a  clean  entry  into  its  development 
cycle  -  to  assure  years  hence  that  an  opera 
ttooally  suitable  weapon  system  evolves  as 
a  result  of  good  pfenning  near,  followed  by 
effective  pweoit  of  planned  objectives 


4-1-2-  Oscmwatstim  Checklist 

Figure  4-1  presents  a  checklist  of  the 
technical  sod  operational  points  which 
should  have  been  defined  during  the  require¬ 
ments  analysis  stsge  discussed  in 
Chapter  2  The  chart  serves  as  a  checklist 
to  evaluate  completeness  of  information 
about  the  system  whose  requirements  are 
about  to  be  fully  documented  in  the  Tech¬ 
nical  Development  Plan  and  the  design 
specification 


b  Paragraph  2  *f  OP7IAV  1910  61  »<■*  •!*<>  SOR. 
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Requirements  Data  Must  Describe: 

•  Planned  installation,  storage,  and  tactical  deployment  of  the  system  -  type  of 
vehicle,  type  of  storage,  and  geographical  areas  of  use. 

•  Reaction  time  required  -  time  between  "command"  to  operate  and  “operate". 

o  Mission  duration  requirement  for  each  type  of  mission  or  operating  mode. 

•  Turnaround  tune  required  -  elapsed  line  be. ween  successive  missions. 

"if  Overall  mission  reliability  for  each  type  of  mission,  operating  mode,  and  specified 

level  of  performance,  allocated  do* n  to  the  subsystem  level. 

•  Availability  or  combat-ready  rate  (operational  readiness)  -  percent  of  the  total 
number  of  systems  that  are  to  be  "ready"  at  any  point  in  time,  or  percent  of  times 
a  system  must  successfully  respond  to  an  "operate"  command. 

•  Maintenance  and  operating  environmental  conditions  -  climatic,  facilities,  and 
support. 

•  Planned  utilization  rate  -  number  of  missions  expected  per  unit  of  time  under 
combat  conditions. 

•  Minimum  allowable  time  between  scheduled  maintenance. 

•  Test  and  checkout  philosophy  -  relent  of  automatism,  complexity  or  test  equip¬ 
ment,  degree  of  fault  isolation  and  indication  at  the  local  level,  degree  of  remote 
failure  monitoring. 

•  Echelons  of  maintenance  or  maintenance  concept  to  be  used  -  replaceable  modular 
packaging,  etc. 

•  Maintenance  and  crew  personnel  requirements  -  numbers  and  skills,  level  of 
training . 

Meantime -torepnir  requirement,  and  specified  level  of  "intrinsic"  system 
availability. 

Starred  items  are  directly  related  to  the  reliability 
and  maintainability  requirements  to  be  documented. 


Figure  41.  Check  I  i  at  let  Evaluation  of  Decuman  t  ary  Source  Do  to 
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4-2  DOCUMENTATION 

OF  RELIABILITY  AND  MAINTAINABILITY  REQUIREMENTS 
IN  TECHNICAL  DEVELOPMENT  PLANS  (TDPt) 


4-2-1.  Rol*  of  A#  TOP 


The  Technical 
Development  Plan  (TDP) 

‘‘comprises  the  plan  for  the  fulfillment 
of  an  Advanced  Development  Objective 
or  a  Specific  Operational  Hequirement. 
U  verve*  an  a  basic  decision-making 
document  at  the  Bureau  management 
level,  and  above  Approval  by  CNO 
constitutes  the  authority  to  commence 
development  commensurate  with  funds 
that  are  provided  by  separate  action 
When  funded,  the  TOP  become*  the 
primary  management  control  and 
reporting  document  for  the  life  of  the 
development  It  is  essential  that  u  be 
kept  uptodate  on  a  continuing  basis." 

-QPNAVINST  U 
1 1  December  1962 


Thus  the  important  role  of  the  TOP  is 
established. 

4-2-2.  TOP  Format 

There  are  two  ways  in  which  relia¬ 
bility  and  maintainability  retirement*  are 
documented  in  the  TDP: 


ll)  As  integral  requirements  of  the  system 
and  the  system  development  program,  in 
which  reliability  and  maintainability 
requirements  are  integrated  into  the 
overall  system  description  along  with 
performance  and  other  requirements;  and 

(2)  As  supplemental  requirements  presented 
in  separate  sections  (or  appended  as 
separate  documents) 

The  first  method  (integrated  require¬ 
ments)  is  consistent  with  the  argument  that 
tffoetirtnott  is  what  we  must  redly  attempt 
to  define,  and  effectiveness  is  jointly 
dependent  upon  the  three  major  system 
characteristics:  performance,  reliability, 

and  maintainability  (availability).  The 
second  method  arises  from  the  proven  need 
for  special  emphasis  on  the  effectiveness 
problem  in  compies  system*  In  either  case, 
reliability  and  maintainability  should  be 
treated  jointly  in  requirements  and  placing 
documentation,  since  both  must  be  simulta¬ 
neously  considered  by  the  designer  in 
effectiveness  optimization  tradeoff  studies, 
and  neither  can  be  separately  achieved  as  a 
system  requirement  without  due  considera¬ 
tion  of  the  other  dvnny  (At  design  pA<a*r. 

The  following  step*  are  related  to 
specific  sections  of  the  TDP.  consistent 
with  TOP  format  outlined  in  Bl’WEPINST 
1910  2A.  as  shown  m  Figure  4*2 
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Section 

Contents 

1. 

Cover  Sheet  and  Table  of  Contents 

2. 

TDP  Summary 

Block  1  -  Identification  and  Picture 

Block  2  -  Descriptive  Highlights 

Block  3  —  Major  Subsystems 

Block  4  -  RDT  &  F  Funding 

Block  5  —  Lead  Bureau 

Block  6  -  Technical  Director 

Block  7  -  Principal  Contractors 

Block  8  -  Major  Milestones 

Block  9  -  Fiscal  Year  Milestones 

3. 

Index  of  Effective  Pages 

1 

Narrative  Requirement  and  Brief  Development  Plan 

5. 

Management  Plan 

6. 

Financial  Plan 

7. 

Block  Diagram 

8. 

Subsystem  Characteristics 

9. 

Associated  System  Characteristics 

10. 

Dependability  Plan 

11 

Operability  and  Supportability  Plan 

12. 

Test  and  Evaluation 

13 

Personnel  and  Training  Plan 

14. 

Production  Delivery  and  Installation  Plan 

Fifwt  4*2.  Tin  Technical  Development  Plon  Format 


4-2-3.  Procedural  Step*  lor  Documentation 
of  Reliability  and  Maintainability  in 

TOP*. 


STEP  l 


Summarize  the  Reliability 

Requirement  in  the 

TDP  Summary _ 


Bloch  2  ••  Descriptive  Highlights 

Slat#  the  reliability  and  maintainability 
requirement,  the  effectiveness  or  "hill 
probability"  requirement,  aloof  with  other 
performance  characteristics. 


EXAMPLE: 

Kill  Probability  (per  mission)  .90 
Reliability  (2-hour  mission)  92 
Availability  9g 

Maintainability  (30  minutes)  90 
Performance: 

Mach  3  7 

Range  ,\M  175  0 

Blochs  t  and  9  Major  Milestones 

Show  as  milestones  the  completion 
of  reliability  maintainability  prediction 
analyses,  final  design  review,  prototype 
evaluation,  and  acceptance  tests  for  relia¬ 
bility  and  maintainability 
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STEP  2 


Prepare  Narrative  of 
-  Requirement  (Section  4 
of  TDP) 


State  the  system  operational 
reliability/maintainability  requirements  in 
narrative  form: 


EXAMPLE:  The  XYZ  system  shall 
operate  without  malfunction  and  re¬ 
lease  its  payload  within  the  prescribed 
tolerance  of  target  position  with  a 
minimum  probability  of  .8,  after  check¬ 
out  with  operational  test  equipment. 
Or,  more  simply,  the  system  shall  be 
capable,  after  checkout  with  opera¬ 
tional  test  equipment,  of  releasing  its 
payload  within  the  prescribed  area  and 
returning  to  the  ship  8  out  of  every  10 
attempts.  The  system  shall  maintain 
a  minimum  operational  readiness  of 
.92  while  the  ship  is  deployed;  or, 
more  simply,  the  system  shall  either 
be  operating  or  in  a  state  of  readiness 
to  operate,  on  the  average,  22  out  of 
each  24  hours. 


Describe  Subsystem 
Characteristics  (Section  8 
of  TDP) 


Include  for  each  subsystem  that 
portion  of  the  overall  requirement  assigned 
to  the  subsystem. 

EXAMPLE  (for  <it fined  mission): 

Total  System 

Reliability  Requirement  ■  .92 
Subsystem: 

Guidance  &  Command  -  9b 
Engine  &  Air  Frame  „  999 

Recovery  ,  99 

Autopilot  &  Stabilization  «  97 


STEP  3 


New  programs  -  those  that  have  not 
had  a  completed  feasibility  or  detailed 
requirements  analysis  performed  to  date  — 
may  state  that  certain  requirements  have  not 
yet  been  determined,  provided  a  fixed  date 
and  program  phase  for  their  determination 
are  shown  as  one  of  the  milestones  in 
Step  1. 

Indicate  whether  specific  components 
are  available  “on  the  shelf”  or  require 
development. 

Indicate  the  degree  of  technical  risk 
involved,  problems  anticipated,  plans  for 
solving,  and  adequately  describe  the  tech¬ 
nical  “how". 


Indicate  anticipated  interface 
problems  between  components  of  the  system 
and  the  plans  for  solving  and  testing.  Indi¬ 
cate  the  human  engineering  needed  to  assure 
optimum  performance  of  men  as  components 
of  the  system. 


STEP  4 


Describe  Associated  System 
Characteristics  (Section  9 
of  TDP). 


Describe  the  expected  interface 
problems  -  compatibility  of  tolerances, 
interactions  among  components,  induced 
environmental  hazards,  radio  interference 
problems,  etc.,  and  describe  plans  for  their 
solution  and  test  verification. 


EXAMPLE:  System  must  be  capable 
of  operation  in  a  nuclear  radiation 
Held  of  as  yet  undisclosed  magnitude. 
Nature  of  this  radiation  and  its  exact 
effects  on  system  performance  will 
be  evaluated  and  precisely  determined 
by  (date)  ,  as  reflected  in 

Milestone  No.  6  of  the  TDP  summary. 
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Describe  the  “Dependability” 
Plan  (Section  10  of  TDP) 


The  reliability/maintainability  pro¬ 
grams  and  specific  activities  which 
are  planned  and  scheduled  should  be  covered 
in  this  section  of  the  TDP.  A  recommended 
outline  for  the  reliability  and  maintainability 
plan  is  shown  in  Figure  4-3.  Outline  the 
reliability  program  plan  for  the  period 
covered  by  the  TDP  as  related  to  the  overall 


development  effort,  progress,  schedule,  and 
major  milestones.  Use  proposed  BuWeps 
Instruction,  subject  “Reliability  and 
Maintainability,  Instructions  Concerning”, 
for  general  guidance  and  wording  for  the 
appropriate  major  development  phases.  Fill 
in  details  peculiar  to  specific  programs. 
Specifi  -  reliability /maintainability  activities 
which  will  be  required  for  each  major  sub¬ 
system  development  should  be  listed.  The 
activities  given  in  WS-3250  -  BuWeps  "Gen¬ 
eral  Reliability  Specification”—  may  be  used 
as  a  guide  or  check  list. 


STEP  5 


A.  Technical  Requirements 

(1)  Nominal  (design  goat)  requirement*  (or  reliability,  availability,  and  maintainability. 

(2)  Minimum  acceptable  requirement*  and  acceptance  teat  condition*. 

3)  Definition  of  failure,  environmental  factor*,  nae  condition*,  and  lime  baae*  applicable  to  O) 
and  (2). 

(4)  Engineering  and  statiaUcal  criteria  for  acceptance  teat  deaign. 

(5)  Feaaibility  ealimate  and  apecial  deaign  conaideration*.  for  achievement  of  (1)  and  (2). 

B.  Program  Plan 

(1)  Applicable  documenla  and  specific  basis  for  the  program  plan. 

(2)  Organixation.  management,  and  monitoring  plan  for  "dependability'*  control  by  the  Project  Team. 

(3)  Reliability  and  maintainability  analyses  and  deaign  review  schedule. 

(4)  Reliability  specification  review  schedule. 

(5)  Review  of  parts  qualification  stains. 

C  Reliability  and  Maintainability  Status  Summary  to  Date 
U)  Program  stains  and  progress  anmmary. 

(2)  Summary  of  prediction  analyses  and  developswal  teat  results. 

(3)  Results  of  requireasent*  review,  reallocation,  and  tradeoff  studies. 

(4)  Definition  of  the  tea  moat  critical  problem  areas  and  action  requirements. 

(5)  Reassessment  of  reliability  sad  maintainability  growth  potential  and  program  realism. 

D-  Future  Plans  and  Actions 

(D  Correction  of  program  deficiencies. 

(2)  Resolntioa  of  technical  incompatibilities. 

£.  Schedule  of  Major  Milestones  and  Monitoring  Points 


Fi fur*  4-3.  Suggested  Format  for  on  Integrated  Roliobility  ond 
Maintainability  Assurance  Plon  for  Socfion  10  of  TDP 
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Establish  Reliability  and 
Maintainability  Schedule  of 
~  Major  Milestones  and  Program 
Review  Points 


A  checklist  of  the  major  milestones  to 
be  included  under  Item  E  of  Figure  4-3  is 
shown  in  Figure  4-4.  Responsibility  for 


accomplishment  of  the  specific  events  repre¬ 
sented  by  each  milestone  should  be  indi¬ 
cated  and  tentative  dates  for  accomplishment 
should  be  established.  The  checklist  repre¬ 
sents  a  minimum  of  points  deemed  neces¬ 
sary  for  controlled  growth  of  reliability  and 
maintainability  in  development.  Others 
should  be  added  as  required. 


MILESTONES 

DATE 

RESPONSIBILITY 

(1)  Ttcluticil  requirements  end  program  pin  documented  in  TOP. 

(2)  Requirements  documented  in  RFP. 

(3)  Requirements  nnd  nceeptance  lest  criteriu  included  iu  preliminary 
detail  specification!.. 

(4)  Technical  proposal  evaluated;  proponed  contractor  program  reviewed. 

(5)  Requirements  and  acceptance  leeta  spelled  ont  in  definitive  contract. 

(6)  Detailed  contractor  program  plan  reviewed,  modified,  and  approved. 

(7)  Detailed  technical  monitoring  plan  developed  and  implemented  by 
responsible  office. 

(fl)  Critical  points  of  contractor  activity  schedule  incorporated  into  TOP 

miles  tone  schedale. 

(9)  Preliminary  reliability  and  maintainability  aastyeia,  allocation,  sad 
feaaibility  study  completed  by  contractor. 

( 10)  Spociftcatioae  reviewed  and  npdatad  on  basin  of  (9). 

(11)  Formal  design  review  procedures  documented  and  scheduled. 

(12)  First  design  review-,  reliability  stress  analysis  and  maintainability 
assessment  evaluated. 

(13)  Reliability  and  maintainability  requirements  documented  is  enb- 
cemtrsetor  specifications. 

(14)  Contractor  failure  reporting  and  eaalyaia  "feedbsch  loop”  imple¬ 
mented. 

(15)  Integrated  test  plea  foneaiWed  (or  reliability  and  maintainability 
evaluation,  control,  and  acceptance. 

(16)  Critical  problem  arena  defined  and  reported;  corrective  action  stains 
recommended. 

(17)  Reliability  evaluation  testa  conducted. 

( IS)  Maintainability  evaluation  testa  cob  doc  led. 

(19)  Dependability  assessment,  based  os  test  data  (tom  (17)  and  (18). 

(20)  Dependability  acceptance  testa  of  prototype  models  began. 

(2f)  Prototype  accept/reject  decision  reached  on  basis  of  (20). 

(22)  Plana  reviewed  and  formalised  tor  production. 

(23)  Dependability  requirements  and  acceptance  testa  defined  in  produc¬ 
tion  specifications. 

Figure  4-4.  Checklist  of  Major  Reliability  and  Maintainability  Milestones 
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STEP  7 


Describe  a  Maintenance 
Philosophy  for  the 
~  Supportability  Plan  and  the 
Personnel  and  Training  Plan 


STEP  9 


Verify  the  Development  Cost 
-  and  Time  (Sections  5  and  6 
of  the  TOP) 


•  Echelons  or  levels  of  maintenance, 
including  maintenance  tasks  and  skills 
required  for  each  level. 

•  Planned  use  of  built-in  maintenance  aids, 
such  as  self-test  features,  malfunction 
indicators,  specialized  or  standard  test 
equipment,  etc. 


Estimate  the  development  cost  by  the 
method  given  in  Chapter  9.  Use  these  esti¬ 
mates  to  verify  the  time  allotted  in  the 
schedule,  and  the  funds  budgeted  for  the 
development  phase  of  the  program.  In  the 
absence  of  other  inputs,  these  estimates 
may  be  used  in  the  management  and  financial 
plans  of  the  TDP  (Sections  5  and  6,  respec¬ 
tively). 


•  Planned  use  of  job  aids  such  as  trouble¬ 
shooting  logic  charts,  system  technical 
Manuals,  audio-visual  presentation  of 
maintenance  tasks,  etc. 


STEP  10 


Describe  the  Test  and 
-  Evaluation  Plan 
(Section  12  of  TDP) 


•  Other  design  features  which  may  affect 
spare  parts  and  repairs  such  as  use  of 
standard  circuits  from  specific  handbooks, 
disposable  modules,  etc. 


•  Unique  knowledge  of  skills  required  by 
the  system. 


STEP  8 


Describe  the 

-  Reliability  Maintainability 
Monitoring  Plan _ 


Outline  the  planned  reliability 
maintainability  test  and  evaluation  program 
and  schedule  (related  to  the  overall  test  and 
evaluation  schedules).  State  which  tests 
are  acceptance  and  which  are  evaluation  in 
nature.  Indicate  t'-e  desired  degree  of 
assurance  (confidence)  in  the  test  results. 


Prepare  detailed  description  of 
reliability  and  maintainability  measurements 
tests,  demonstration  tests,  and  acceptance 
tests.  Define  accept  reject  criteria,  test 
design  parameters,  and  decision  alternatives 
in  the  event  of  a  reject. 


Identify  by  BuWeps  code  personnel 
who  are  designated  the  responsibility  for 
monitoring  reliability/maintainability  pro¬ 
gress.  Describe  briefly  methods  and  fre¬ 
quency  of  monitoring  (i.e.,  monitoring  teams, 
independent  assessments,  review  of  pro¬ 
gress,  test  results,  contractor  reports,  etc.). 


(1)  Indicate  here  the  plans  for  tests, 
investigations  appraisals,  and  eval¬ 
uations,  including  assignment  of 
responsibility  for  who  does  what, 
when,  and  where.  Show  the  objectives 
or  goals  of  the  technical  evaluation  on 
which  acceptance  or  rejection  will  be 
based.  Indicate  any  unique  facilities, 
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equipment,  or  personnel  capabilities 
which  may  be  required. 

(2)  Indicate  here  the  recommended  tests 
and  evaluations  which  should  be  con¬ 
ducted  in  order  to  determine  operational 
suitability  under  service  operating 
conditions.  Indicate  anticipated 
requirements  for  Fleet  services.  Per¬ 
formance,  reliability,  maintainability, 
operability,  and  supportability  must 
be  verified  in  the  operational  environ¬ 
ment. 


Describe  Personnel  and 
-  Training  Requirements 
(Section  13  of  TDP) 

Describe  levels  of  personnel  training 
and  qualifications  of  operator/maintenance 
personnel  for  which  the  system  must  be 
designed;  and,  conversely,  describe  special 
training  requirements  (including  schedules, 
programs,  equipment,  facilities)  required  for 
full  exploitation  of  “inherent"  reliability 
and  “intrinsic"  availability  planned  as 
features  of  the  proposed  system. 


STEP  11 


4-3  DOCUMENTATION 

OF  RELIABILITY  AND  MAINTAINABILITY  REQUIREMENTS 
IN  PROCUREMENT  DOCUMENTS  AND  SPECIFICATIONS 


4-3-1.  General 


The  specification  is  .  .  . 

“a  document  intended  primarily  for 
use  in  procurement,  which  clearly  and 
accurately  describes  the  essential  and 
technical  requirements  for  items, 
materials  or  services  including  the 
procedures  by  which  it  will  be  deter¬ 
mined  that  the  requirements  have 
been  met". 

—Defense  Standardization 
Manual  M200A 


Manual  M200A  further  sets  forth  the 
following  general  policies  relative  to  the 
preparation  of  specifications: 

“Specifications  should  establish 
requirements,  insofar  as  is  practi¬ 
cable,  in  terms  of  performance  .  .  .  . 
however,  in  order  to  control  those 
features  of  design  which  pertain  to 
interchangeability,  compatibility,  reli¬ 
ability,  it  is  necessary,  in  most 
instances,  for  specifications  used  by 
the  Government  to  include  design 
requirements  which  achieve  these 
essential  controls.” 


4-9 


4*5*1  NAVWEPS  00-65-502 


While  the  specification  is  often 
referred  to  as  the  “communication  media” 
between  buyer  and  seller,  it  cannot  in  itself 
assure  the  buyer  that  the  seller  has  been 
communicated  with,  except  by  a  contractual 
stipulation  of  its  applicability  as  the  accept¬ 
ance  specification.  Accordingly,  the 
implementation  of  a  specification  ideally 
begins  with  the  initial  RFP,  in  order  to 
assure  that  prospective  contractors  are 
fully  aware  of  the  detailed  quantitative 
requirements  of  the  procurement  and  the 
quality  assurance  criteria  by  which  its 
acceptability  is  to  be  measured.  To  be 
responsive  to  the  RFP,  then,  the  prospective 
contractor  must  present  his  proposed  tech¬ 
nical  and  management  approach  toward  the 
fulfillment  of  requirements  as  defined  by  the 
specification.  The  contract  which  is  nego¬ 
tiated  on  the  basis  of  the  successful 
proposal  can  then  make  both  the  specifi¬ 
cation  and  the  proposal  contractually 
binding.  This  is  the  ideal  implementation 
cycle. 

Frequently,  however,  the  equipment  to 
be  developed  is  one  whose  concept  origi¬ 
nates  with  the  industry,  resulting  in  a  design 
proposal  before  the  design  specification  has 
been  developed.  In  these  instances,  the 
project  engineer  may  require  the  submission 
of  a  proposed  design  specification  in  M200A 
format,  i/for  review  and  revision  as  required 
to  meet  the  needs  of  the  equipment  class. 
Now,  as  before,  the  specification  should 
become  contractually  binding  as  the  legal 
description  of  the  product  to  be  developed. 

In  other  cases,  the  very  nature  of  the 
procurement  may  indicate  the  impracti¬ 
cability  of  a  firm  specification  requirement 


%}  Bare  (a  of  Naval  Weapons  Specification  XAV-1000 
provides  a  recommended  format  to  guide  the 
preparation  of  development  specifications  for 
Avionics  equipment. 


at  the  time  of  a  contract  award.  Here,  an 
“objective”  design  specification  is  pre¬ 
pared.  One  of  the  contractual  tasks  can 
then  require  an  evaluation  of  specification 
realism  -  to  determine  the  feasibility  of  the 
objective  requirement.  In  this  case,  the 
specification  is  adjusted  for  realism,  con¬ 
sistent  with  the  proposed  design  approach, 
before  design  is  permitted  to  proceed. 

Reliability  specification  requirements 
consist  of  three  distinct  but  related  areas 
of  coverage: 

1.  Detailed  quantitative  requirements. 

2.  General  program  requirements. 

3.  Quality  assurance  provisions. 


These  three  areas  may  be  included  in  the 
overall  design  specification  for  a  product 
(Method  A)  or  covered  under  a  separate 
reliability  specification  (Method  B). 

Method  A  -  Integrated  Specifications: 
Reliability  as  a  design  parameter 
is  logically  specified  in  Section  3 
of  the  design  specification  (both 
detailed  and  general  coverage) 
and  the  quality  assurance  prov- 
sions  integrated  into  the  overall 
provisions  of  Section  4. 


Method  B  -  Separate  Specifications: 
This  alternative,  although 
commonly  used  today,  is  recom¬ 
mended  only  when  clarity  and 
simplicity  can  be  greatly 
enhanced.  A  reliability  specifi¬ 
cation  must  follow  approved 
specification  format,  consisting 
of  the  following: 
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1.  Scope 

2.  Applicable  Documents 

3.  Requirements 

4.  Quality  Assurance  Provisions 

5.  Preparation  for  Delivery 

6.  Notes 

4*3-2.  Procedural  Stops 

Whether  Method  A  or  B  is  used,  certain 
basic  information  must  be  included  in  each 
section.  In  either  case,  an  equipment  or 
system  description  should  ultimately  include 
the  information  itemized  under  the  following 
steps.  While  the  procedural  steps  relate  to 
specific  sections  of  M200A  specification 
format,  they  are  equally  applicable  to  design 
documentation  in  requests  for  proposals 
(RFP's)  and  contract  task  statements. 

Define  Scope  and  Purpose  of 
“  the  Specification  (Section  1) 


Present  a  clear,  concise  abstract  of 
the  total  coverage  embraced  by  the  speci¬ 
fication,  with  a  short  but  comprehensive 
description  of  the  item  to  be  developed, 
the  system  with  which  it  is  to  work,  and  the 
functional  role  to  be  performed.  Define  the 
specific  objectives  of  the  specification  - 
to  establish  requirements  for  reliability  and 
maintainability  and  to  prescribe  acceptance 
test  requirements  by  which  compliance  is  to 
be  assured. 

Specify  Other  Applicable 
~  Documents  (Section  2) 


Reference  only  those  specifications 
and  documents  that  are  referenced  in  the 
body  of  the  specification.  (Additional 
references  not  directly  pertinent  tend  to 
cloud  the  basic  specification  requirements.) 
Documents  referenced  must  be  available  in 
approved  form  at  time  of  specification  issue. 


4-3-1  to  4-3-2 

Describe  System  Operational 
Requirements  (Section  3) 


Reliability  and  maintainability  are 
system  characteristics  in  the  same  sense 
that  speed,  range,  and  maneuverability  are 
system  characteristics.  To  be  placed  in 
proper  perspective,  however,  other  opera¬ 
tional  requirements  must  be  described  to 
insure  full  understanding  of  the  R&M  require¬ 
ment.  Include  the  information  outlined  in 
Figure  4-1  for  a  full  definition  of  system 
requirements. 

The  dividing  line  between  a  satis¬ 
factory  and  unsatisfactory  system  is  seldom 
clearly  defined  in  present-day  system  speci¬ 
fications;  yet  this  is  a  necessity  for  a 
complete  quantitative  reliability  statement. 
Current  practice  in  design  and  development 
specifications  is  to  specify  “design  goals’’ 
while  nevertheless  being  willing  to  accept 
somewhat  less.  The  inclusion  of  a  quanti¬ 
tative  reliability  requirement  thus  requires 
at  the  outset  that  the  “somewhat  less”  be 
explicitly  defined. 


EXAMPLE :  Present  radar  design 

specification  calls  for  the  system  to 
“detect  1  sq.  meter  targets  at  300,000 
yards.”  Inclusion  of  a  quantitative 
requirement  necessitated  the  following 
change:  “The  design  objective  shall 
be  to  detect  1  sq.  meter  targets  at 
300,000  yards.  The  system  shall  be 
considered  unacceptable  if  1  sq.  meter 
targets  are  not  detected  to  at  least 
176,000  yards  and  marginal  out  to 
225,000  yards.” 


The  preferred  method  is  to  include 
both  design  objectives  and  minimum  accept¬ 
able  values  as  a  lower  tolerance  limit  on 
the  performance  parameter. 


STEP  1 


STEP  2 


STEP  3 
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STEP  4 


—  Describe  “Use"  Conditions  (Section  3) 


Establish  in  standard  terminology  the  conditions  under  which  the  item  must  provide  the 
above  performance.  “Use”  conditions  refer  to  all  known  use  conditions  under  which  the 
specified  reliability  is  to  be  obtained,  including  the  following: 


Temperature 

Humidity 

Shock 

Vibration 


Pressure  Weather  (wind,  rain,  snow) 

Penetration/Abrasion  Sea  State 

Ambient  Light  Operator  Skills 

Mounting  Position 


and  other  conditions  covered  in  MIL-STD-210A,  "Climatic  Extremes  for  Military  Equipment". 


The  "Use"  conditions  are  presented  in  two  ways: 

Narrative: 

Brief  description  of  the  anticipated  operational  conditions  under  which  the  system 
will  be  used. 


EXAMPLE: 

(1)  The  MK  000  Computer  will  be  installed  in  temperature-controlled  spaces 
aboard  ships  of  the  DD  and  DLG  classes. 

(2)  The  TOY  missile  must  be  capable  of  withstanding  exposed  shipboard 
environments  encountered  while  suspended  from  the  launcher  arm  for 
periods  up  to  two  hours.  This  includes  possible  ice-loading  conditions 
in  subzero  weather. 

Specific: 

Itemized  list  of  known  or  anticipated  ranges  of  environments  and  conditions. 
When  changes  of  environment  are  expected  throughout  an  operating  period,  as  in 
an  aircraft  flight,  an  environmental  profile  should  be  included. 


EXAMPLE: 

(1)  MK  000  Computer  shall  operate  as  specified  under  the  following  environ¬ 
ments,  either  singly  or  combined: 


Vibration: 
Ship  Motion: 
Roll: 
Pitch: 
Yaw: 

Temperature: 
Humidity: 
Input  Power: 


10-25  cps  at  2.5g 

47° 

10° 

20° 

65°F.  to  80°F. 
to  95% 

Nominal  440  cps  at  110  v.  ±  20% 
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(2)  The  AN/ARC-000  shall  meet  its  performance  requirements  when  subjected 
to  the  mission  temperature  profile,  as  illustrated  in  Figure  4-5. 


TEMPERATURE,  °C 


h  U  t5 

TIME 


Figure  4-5.  Temperature  Profile 


MIL-STD-210A  provides  comprehensive,  worldwide  environmental  coverage.  Many 
individual  specifications  for  specific  categories  of  systems  provide  environemental  classifi¬ 
cations  which  may  be  referenced  providing  the  standard  environments  adequately  cover  the 
specific  system’s  planned  “use”  conditions.  The  practice  of  stating  extreme  environmental 
ranges  for  systems  which  will  be  used  under  controlled  or  limited  conditions  leads  to  undue 
costs,  both  in  development  and  production. 

EXAMPLE:  A  general  purpose  digital  computer  for  shipboard  fire  control  systems 
will  be  installed  in  air-conditioned  ship's  spaces  (65°F.  to  80°F.).  With  planned 
forced  air  cooling,  the  system  can  be  compactly  built.  Cabinets,  doors,  and  drawers 
do  not  need  insulation  or  weatherproofing.  The  specification  of  temperature 
requirements  of  -55°C.  to  ♦SS'C.  would  increase  the  size  and  weight.  The  cabinet 
would  require  insulation  and  an  elaborate  temperature  control  system  installed  to  provide 
both  heat  and  cooling;  or  major  circuit  development  would  be  required  to  render  the 
device  insensitive  to  temperature  changes  -  both  approaches  are  unwarranted. 
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Define  the  Time  Measure  either  in  terms  of  duty  cycles  or  profile 
or  Mission  Profile _  charts. 

Time  is  vital  to  the  quantitative 
description  of  reliability.  It  is  the  indepen¬ 
dent  variable  in  the  reliability  function.  The 
system  usage,  from  a  time  standpoint,  in 
large  measure  determines  the  form  of  the 
reliability  expression  of  which  time  is  an 
integral  part.  The  types  of  mission  times 
commonly  encountered  are  given  in 
Figure  4-8.  For  those  cases  where  a  system 
is  not  designed  for  continuous  operation, 
total  anticipated  time  profile  or  time 
sequences  of  operation  should  be  defined 


TOTAL  TIME  IN  HOURS 

Figure  4-6.  Typical  Operational  Sequence  for  Airborne  Fire  Control  System 


EXAMPLE:  The  mission  reliability 
for  the  “x”  missile  fire  control 
system  shall  be  at  least  .9  for  a  6-hour 
mission  having  the  typical  operational 
sequence  illustrated  in  Figure  4-6. 


From  the  example  it  can  be  seen  that  a  large 
portion  of  the  time  was  standby-time  rather 
than  full-power-on-time. 
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STEP  6 


Specify  Reliability  Design 
Objectives  and  Requirements 
(Section  3). 


The  intent  of  this  subparagraph  is  to 
mt  out  the  specific  functions  in  which 
liability  improvement  is  sought.  It  is 
suggested  that  both  the  specific  functions 
to  be  improved  and  the  nature  of  the  improve¬ 
ment  be  described  in  enough  detail  that 
prospective  designers  will  have  advantage 
of  the  earlier  feasibility  analysis. 


EXAMPLE:  “A  10-to-I  improvement 
in  servo  amplifier  module  reliability 
is  sought  as  a  design  objective. 
Specifically,  it  shall  be  the  objective 
to  reduce  tolerance  and  instability 
failures,  as  defined  in  the  description 
of  performance  characteristics  else¬ 
where  in  this  specification,  by  the 
application  of  inverse  feedback  at  the 
circuit  and  servo  loop  level,  and  to 
reduce  the  catastrophic  failure  rate 
by  the  application  of  redundancy  to 
those  critical  elements  in  which 
further  derating  is  ineffectual.” 


When  the  need  for  unconventional  or 
unique  design  approaches  can  be  determined 
in  the  predesign  phase,  they  should  be 
described  in  sufficient  detail  to  aid  the 
designer  who  must  ultimately  adopt  these 
or  equivalent  concepts  to  overcome  the 
indicated  limitations  of  conventional  design. 
Such  specific  design  requirements  would 
include: 


Redundancy  planned  in  the  system 
concept  as  a  means  of  overcoming 
anticipated  limitations  of  part  and 


component  reliability.  The  level  of 
complexity  at  which  redundancy  is 
needed  to  achieve  the  overall  reli¬ 
ability  requirement  should  be 
indicated,  and  whether  standby  or 
active  redundancy  is  contemplated. 


•  Special  parts,  components,  or  items  of 
GFE  on  which  the  system  concept  is 
based,  together  with  the  estimated 
reliability  and  references  to  supporting 
data  that  justify  the  specification  of 
such  particulars. 


•  Special  packaging,  modular  con¬ 
struction,  or  potting  methods  required 
to  conform  to  maintenance  and 
logistics  plans. 


•  Particular  maintenance  features 
contemplated  by  the  system  concept 
for  the  achievement  of  the  specified 
effectiveness  requirement.  These 
would  include  design  features  for 
scheduled  or  continuous  performance 
monitoring,  failure  indication,  and 
failure  sense-switch  devices,  and 
should  prescribe  the  system  levels  at 
which  these  features  were  considered 
to  be  applied  in  the  conceptual  deter¬ 
mination  of  maintainability  feasibility. 


STEP  7 


Specify  the  Quantitative 
Reliability  Requirements 
(Section  3). 


Specify  the  value  of  inherent  reliability 
on  which  the  success  of  the  conceptual 
system  is  based.  This  should  be  quantita¬ 
tively  defined  at  one  or  more  points  to 
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establish  the  desired  reliability  and  main¬ 
tainability  characteristics. 

Figure  4-7  illustrates  four  basic  ways 
in  which  a  reliability  requirement  can  be 
defined: 

(1)  As  a  “mean  life”  or  mean-time- 
between-failure,  MTBF.  This  defi¬ 
nition  is  useful  for  long-life 
systems  in  which  the  form  of  the 


reliability  distribution  is  not  too 
critical,  or  where  the  planned 
mission  lengths  are  always  short 
relative  to  the  specified  mean  life. 
Although  this  definition  is  ade¬ 
quate  for  specifying  life,  it  gives 
no  positive  assurance  of  a  speci¬ 
fied  level  of  reliability  in  early 
life,  except  as  the  assumption  of 
an  exponential  distribution  can  be 
proven  to  be  valid. 


Figure  4*7.  Four  Definitions  of  Reliability 
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(2)  As  a  probability  of  survival  for  a 
specified  period  of  time,  t.  This 
definition  is  useful  for  defining 
reliability  when  a  high  reliability 
is  required  during  the  mission 
period,  but  mean-time-to-failure 
beyond  the  mission  period  is  of 
little  tactical  consequence  except 
as  it  influences  availability. 


The  reliability  requirement  for  this 
system  could  be  expressed  as: 

“The  reliability  of  the  system 
shall  be  at  least: 


Case  I  -  High  power  search  - 

28  hours  MTBF 


(3)  As  a  probability  of  success, 
independent  of  time.  This  def¬ 
inition  is  useful  for  specifying 
the  reliability  of  one-shot  devices 
and  those  which  are  cyclic,  such 
as  the  flight  reliability  of 
missiles,  the  launch  reliability  of 
launchers,  the  detonation  reli¬ 
ability  of  warheads,  etc. 


(4)  As  a  “failure  rate"  over  a 
specified  period  of  time.  This 
definition  is  useful  for  specifying 
the  reliability  of  parts,  compo¬ 
nents,  and  modules  whose  mean 
lives  are  too  long  to  be  meaning¬ 
ful,  or  whose  reliability  for  the 
time  period  of  interest  approaches 
unity. 


Case  II  -  Low  power  search  - 

40  hours  MTBF 

Case  III  -  Track  - 

98  probability  of 
satisfactory  perform¬ 
ance  for  'j  hour” 


The  definition  of  satisfactory 
performance  must  include  limits  for 
each  case.  This  can  be  conveniently 
tabulated  for  inclusion  in  the  specifi¬ 
cation.  A  portion  of  the  Satisfactory 
Performance  Table  for  the  radar 
is  shown  in  Figure  4-9. 


Define  the  Specified 
Reliability  Requirement 
in  Terms  of  Nominal  or 
Mi  nimum  Values  (Section  3) 


Figure  4-8  summarizes  appropriate 
methods  of  stating  the  reliability  require¬ 
ments  for  various  functions,  usage,  and 
maintenance  conditions. 

EXAMPLE:  A  complex  radar  has  both 
search  and  track  functions.  It  is  also 
possible  to  operate  the  search  function 
in  both  a  low  and  high  power  mode. 


The  reliability  requirement  may  be 
specified  in  either  of  two  ways: 

•  As  a  NOMINAL  value  with  which 
the  Fleet  would  be  satisfied,  on 
the  average;  or 

•  As  a  MINIMUM  value  below  which 
the  Fleet  would  find  the  system 
totally  unacceptable. 
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\v  CONDITIONS 

\  OF 

\  USE 

LEVEL  \ 

OF 

COMPLEXITY  \v 

Continuous  Duty 

Long  Life 
(Repairable) 

Intermittent  Duty 

Short  Missions 
(Repairable) 

Continuous  or 

Intermittent 

(Non-Repairable) 

One-Shot 

(Time-Independent) 

Complex  Systems 
(Larger  than  500  AEG’s) 

R(l) 

R(t) 

R(t) 

P(S) 

Systems 

Subsystems 

Equipments 

(Less  than  500  AEG's) 

R(t) 

or 

MTBF 

R(t) 

or 

MTBF 

R(t) 

or 

A 

P(S) 

or 

P(F) 

Modules 

Components 

Parts 

(10  AEG's  or  less) 

A 

A 

A 

P(F) 

Code: 

R(t)  m  Reliability  for  specified  mission,  or  period  of  time 

,  « 

MTBF  •  Mean-time-between-failures.  or  mean  life. 

P(S)  »  Probability  of  success. 

P(F)  •  Probability  of  failure. 

-  Failure  rate. 

Figure  4-8.  Method*  of  Specifying  Reliability  According  to 
Lovols  of  Complexity  and  Conditions  of  U so 
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Figure  4-9.  Satisfactory  Performance  Limits 


Whichever  value  is  chosen  as  the  specified 
requirement,  the  following  rules  should  be 
applied: 

•  When  a  nominal  value  is  ipecified 
as  a  requirement,  always  specify 
a  minimum  value  which  the  system 
must  exceed. 

•  When  a  minimum  value  alone  is 
used  to  specify  the  requirement, 
always  insure  that  it  is  clearly 
defined  as  minimum. 

Of  the  two  methods,  the  first  is  by  far 
the  best,  since  it  automatically  establishes 
the  design  goal  at  or  above  a  known  nominal. 

Figure  4-10  shows  the  relationship 
between  "minimum”  and  "nominal"  values 
of  specified  mean  life,  as  they  would  appear 
on  the  operating  characteristic  (OC)  curve 


for  a  reliability  acceptance  test.  This 
relationship  is  discussed  in  considerable 
detail  in  Chapter  7  on  acceptance  test 
design. 

As  an  illustration  of  the  first  method 
consider  points  A  and  B3.  The  specification 
requirement  may  be  stated  as  follows: 

"1 1TPT  requirement.  The  nominal  and 
minimum  MTBF  requirements  for  System 
X  shall  be  met  when  tested  in  accordance 
with  Section  4  of  this  specification. 

" Nominal  MTBF.  The  nominal  MTBF  shall 
be  300  operate  hours. 

" Minimum  MTBF.  The  minimum  MTBF  shall 
be  at  least  100  operate  hours  demon¬ 
strated  at  the  90%  level  of  statistical 
confidence.” 
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P(A)  PROBABILITY  NOMINAL  REQUIREMENTS 


MEAN  UPE  IN  HOURS 


Figure  4-10.  Relationship  of  "Nominal”  Reliability  Requirement  to  "Minimum”  Acceptable 
Shown  on  Operating  Characteristic  (OC)  Curves  for  Reliability  Acceptance  Tests 


Specify  the  Maintainability 
Requirement  (Section  3) 


Figure  4-11  illustrates  a  typical 
maintainability  function,  with  two  basic 
methods  for  defining  the  maintainability 
requirement: 

(1)  As  a  mean-time-to-restore  require¬ 
ment.  This  definition  does  not 
control  the  distribution  of  mainte¬ 
nance  task  times.  The  definition 
is  useful  for  specifying  maintain¬ 


ability  of  long-life  systems. 

(2)  As  a  probability,  of  resto¬ 

ration  within  a  specified  period  of 
maintenance  time,  tr.  This  defi¬ 
nition  is  useful  for  systems  to  be 
designed  for  high  maintainability, 
employing  reliability-with-repair 
or  module  maintenance  concepts. 

The  following  are  examples  of 
paragraphs  that  might  be  included  in  a 
design  specification  to  cover  the  avail¬ 
ability  (maintainability)  requirement: 
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Effectiveness  considerations. 

The  equipment  shall  be  planned, 
des  gned,  analyzed,  and  reported 
as  outlined  in  the  following  sub- 
paragraphs: 

Effectiveness  requirement. 

The  effectiveness  requirement, 
when  determined  by  the  product  of 
the  service  use  reliability  and  the 
availability  goals  specified  in  the 
following  subparagraphs,  shall  be 
at  least  99%.  Trade-off.  adjust¬ 
ments  between  the  reliability  and 
availability  goals  may  be  initiated 


by  the  contractor  and  shall  be 
subject  to  procuring  activity 
approval. 

Availability  requirement. 

The  availability,  or  “operational 
readiness"  goal,  expressed  as  a 
percentage  of  the  number  of  times 
(at  the  start  of  a  mission)  that 
equipment  operation  is  success¬ 
fully  initiated,  divided  by  the 
number  of  times  equipment  oper¬ 
ation  is  demanded,  shall  be  at  least 
99.58%. 


m 


Figure  4-11.  Two  Definitions  of  Maintainability 
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Maintainability  requirement. 

The  maintainability  goal  expressed 
as  a  mean-time-to-restore  shall  be 
not  greater  than  1.7  hours  when 
determined  by  procedures  approved 
by  the  procuring  activity. 


Development  program  plans,  specifi¬ 
cations,  requests  for  proposals,  and  contrac¬ 
tual  documents  should  therefore  define  the 
specific  program  activities  and  assurance 
provisions  by  which  success  of  the  system 
development  program  is  to  be  monitored, 
guided,  and  assured.  Planned  requirements 
for  the  following  principal  program  activities 
should  be  defined: 


Define 

_  Reliability/Maintainability 
Assurance  Program 
Requirements  (Section  3) 


It  is  the  general  policy  of  the  Bureau 
to  describe  the  characteristics  of  the  system 
it  proposes  to  develop  in  sufficient  detail 
that  when  the  end  product  satisfies  the 
requirements  of  the  description  the  develop¬ 
ment  program  will  have  fulfilled  the  purpose 
for  which  it  was  implemented.  Responsibility 
for  satisfying  the  requirements  of  the  system 
description  must  rest  with  the  development 
contractor,  although  the  Bureau  will  provide 
management  and  engineering  guidance  for 
support  of  the  contractor's  program  toward 
fulfillment  of  the  system  requirement. 


The  Bureau  does  not  propose  to 
dictate  the  specific  methods  by  which  the 
contractor  is  to  achieve  specified  require¬ 
ments,  but  does  intend  to  evaluate  the  con¬ 
tractor’s  ’’output”  from  several  important 
reliability/maintainability  assurance  program 
monitoring  points,  to  assess  development 
status  and  progress  with  respect  to  “mile- 
stone"  goals.  Thus  both  the  Bureau  and  the 
contractor  can  forecast  impending  trouble 
and  take  preventive  action  long  before  the 
panic  stage.  The  outcome  of  the  develop¬ 
ment  program  can  thus  be  guided,  controlled, 
and  predicted  long  before  hardware  is  deliv¬ 
ered  to  the  Fleet. 


(1)  Test  and  Evaluation: 

Development  and  demonstration 
test  program  plan;  prototype  eval¬ 
uation  and  preproduction  accept¬ 
ance  test  plan  (acceptance 
criteria  and  sampling  risks); 
service  evaluation. 


(2)  Reliability  and  Maintainability 
Analysis: 

Prediction  and  apportionment 
studies;  design  review  and  stress 
analysis;  maintenance  task  and 
skill  analysis;  failure  mode  and 
consequence  analysis;  tolerance 
and  interaction  regression 
analysis;  maintenance  task  time 
and  motion  studies;  reliability- 
with-repair  and  redundancy 
studies. 


(3)  Reliability  and  Failure  Reporting: 

Failure  analysis;  corrective  action 
assignment  and  follow-up. 


(4)  Quality  Assurance: 

Vendor  and  subcontractor 
selection  and  control;  parts  and 
materials  specification,  qualifi¬ 
cations,  and  acceptance  testing; 
process  controls. 
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(5)  Reliability /Maintainability 
Monitoring: 

Monitoring  program  plan  and 
schedule  of  monitoring  points; 
tentative  assignment  of  “mile¬ 
stone”  goals;  schedule  of  planned 
requirements  and  trade-off 
reviews. 


( 6)  Documen tati on : 

Reporting  requirements  for 
contractor  program  plans,  proce¬ 
dures,  specifications,  design 
proposals,  failure  analyses; 
schedule  of  planned  review  of  TDP 
and  specification  documentation. 


STEP  11 


Specify  the  Quality 
_  Assurance  Provisions 
(Section  4) 


The  specification  must  now  set  forth 
the  methods  by  which  product  accept¬ 
ability  will  be  determined.  This  step 
involves  many  detailed  determinations  of 
approach  and  methods  which  are  based  not 
only  upon  technical  considerations  but  also 
upon  considerations  of  cost  and  time.  A 
partial  list  of  the  items  which  must  be  deter¬ 
mined  prior  to  establishment  of  quality 
assurance  provisions  follows: 


(a)  A  complete  description  of  the 
item  or  items  to  be  accepted  under 
the  test  requirements. 


Cautionary  Notes 

•  Do  not  expect  a  reliability 
assurance  program  to  provide 
unlimited  reliability.  On  the  con¬ 
trary,  expect  the  program  to 
provide  realistic  appraisals  of 
progress,  status,  and  potential  of 
the  overall  program. 

•  Avoid  specifying,  as  part  of  the 
reliability  assurance  program, 
organizational  or  internal  (con¬ 
tractor)  responsibilities  which 
would  limit  or  constrain  the  con¬ 
tractor’s  individual  approach. 

•  Reliability  analyses  or  assess¬ 
ments  are  primarily  design  guides 
and  monitoring  techniques  and 
should  not  be  used  as  acceptance 
criteria  or  in  lieu  of  acceptance 
testing. 


(b)  The  test  conditions  to  be  applied, 
including  operational  and  environ¬ 
mental  duty  cycles  (acceleration 
factors  permissible,  if  known). 

(c)  Number  of  items  to  be  tested. 

(d)  Estimated  test  duration. 

(e)  Success  and  failure  criteria. 

(f)  Accept/reject  criteria  of  the  test 
plan. 

(g)  Consumer’s  risk  (a  measure  of  the 
adequacy  of  the  test  plan  in  dis¬ 
criminating  between  acceptable 
and  unacceptable  products). 

In  complex  system  development 
programs  where  it  is  not  feasible  to  perform 
a  complete  systems  acceptance  test, 
individual  acceptance  tests  for  various  sub- 
levels  may  be  specified,  together  with 
methods  to  be  employed  for  synthesis  of 
reliability  at  the  system  level.  Detailed 
test  design  procedures  presented  in  Chapter 
7  of  this  handbook  will  assist  the  project 
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engineer  in  the  selection  of  the  most  appro¬ 
priate  test  method  and  the  most  suitable 
test  design  within  the  selected  method. 
Step  11  therefore  suggests  the  use  of 
Chapter  7  in  the  development  of  specific 
quality  assurance  measures. 


STEP  12  -  Follow  Through 

Even  though  the  reliability  and 
maintainability  requirements  for  the 
proposed  new  development  program  have 
been  determined,  defined,  and  documented 
in  the  Technical  Development  Plan,  there 
remains  the  task  of  effective  implementation 
of  the  planning  document  as  a  binding  con¬ 
tractual  requirement  on  those  in  whose  hands 
the  destiny  of  the  entire  program  will  ulti¬ 
mately  rest.  The  sequence  of  events  leading 
to  successful  implementation  is  straightfor¬ 
ward: 

(1)  Integrate  the  requirements  defined 
in  the  Technical  Development 
Plan  into  the  detailed  design  and 
development  program  specifi¬ 
cations  for  the  proposed  system. 

(2)  Reference  these  specifications  in 
requests  for  proposals,  empha¬ 
sizing  their  importance  by  inte¬ 
grating  principal  requirements  in 


the  statement  of  work  on  which 
the  bid  is  to  be  based. 

(3)  Review  design  proposals,  using 
the  TDP  and  the  design  specifi¬ 
cation  as  a  check  list  to  evaluate 
the  responsiveness  of  proposals 
to  the  initiating  RFP. 

(4)  Evaluate  bidder’s  understanding 
and  demonstrated  capability  to 
implement  and  successfully 
execute  the  program  on  which  he 
is  bidding. 

(5)  Reference  the  design  and  program 
specifications  as  applicable  docu¬ 
ments  in  the  contract  which 
results  from  (4)  above. 

(6)  Critically  read,  analyze,  and 
evaluate  program  planning  and 
status  reports  as  part  of  the 
planned  monitoring  program. 

(7)  Evaluate  program  effectiveness 
by  comparing  measured  progress 
in  achievement  of  technical  goals, 
with  planned  progress  established 
as  milestone  goals.  Do  not  eval¬ 
uate  on  the  basis  of  report  volume 
alone. 
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5-1-1  to  5-1-3 


CHAPTER  5 

RELIABILITY  DESIGN  AND 
DESIGN  ASSESSMENT 


5-1  INTRODUCTION 


5-1-1.  Principles  of  “Estimation" 

The  “design  phase’’  is  defined  as  the 
period  immediately  following  the  award  of  a 
development  contract.  In  this  phase  of  the 
equipment  life  cycle,  a  design  is  formulated 
to  meet  the  quantitative  requirements  stated 
in  the  design  specification.  The  contractor 
is  required  by  specification  and  committed 
by  contract  to  demonstrate  that  these  require¬ 
ments  are  being  met,  or  will  be  met  in  the 
course  of  the  contract  period.  The  only 
known  way  to  demonstrate  that  a  particular 
design  approach  will  satisfy  a  specified  re¬ 
quirement  while  the  design  is  still  in  the 
formative  “blueprint’’ stage  is  by  estimation  - 
estimation  of  expected  results  on  the  basis 
of  past  experience  with  other  designs. 

Designers  have  always  been  able  to 
estimate  or  “predict1 '  quantitative  per¬ 
formance  characteristics  of  their  designs 
with  good  accuracy,  because  the  operational 
equations  they  used  for  predicting  performance 
were  the  very  ones  used  for  deriving  the 
design  in  the  first  place.  Until  recently, 
however,  it  was  not  feasible  to  predict 
accurately  the  quantitative  reliability  charac¬ 
teristics  of  a  new  design,  because  math¬ 


ematical  “modeling’’  techniques  had  not  yet 
been  developed  for  expressing  the  reliability 
characteristics  of  different  design  con¬ 
figurations  and  the  failure  characteristics  of 
parts  used  in  these  designs  were  still  largely 
unknown. 

5-1-2.  Basis  for  Standardization 

MIL-STD-756A  and  MIL-HDBK-217  rep¬ 
resent  the  culmination  of  several  years  of 
effort  by  the  three  services  to  overcome  this 
lack  of  knowledge.  These  documents  now 
provide  standard  mathematical  modeling  pro¬ 
cedures  and  standard  failure  data  to  use  with 
the  procedures,  supplying  guidance  which  will 
permit  two  or  more  estimators  to  come  up  with 
the  same  realistic  prediction  for  the  same  de¬ 
sign  —  an  obviously  important  requirement  if 
prediction  procedures  are  to  be  used  initially 
for  evaluation  of  competitive  designs  and 
are  to  be  used  thereafter  for  “measuring” 
design  progress  toward  established  goals. 

5-1-3.  Applicability  of  Estimating  Procedures 

The  procedures  described  in  this 
section  follow  those  prescribed  by 
MIL-STD-756A,  and  demonstrate  the  use  of 
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data  presented  in  MIL-HDBK-217.  The  pro¬ 
cedures  are  useful  in  the  following  appli¬ 
cations: 

•  As  a  planning  tool  for  the  initial  estab¬ 
lishment  of  reliability  requirements. 

•  As  a  design  tool  to  guide  the  contractor's 
designer  in  the  choice  of  parts  and  circuit 
configurations  to  meet  the  specified  reli¬ 
ability  requirement. 


•  As  a  design  review  tool  by  contractor  man¬ 
agement,  for  the  evaluation  of  design  ade¬ 
quacy  to  meet  the  reliability  requirement, 
and  to  point  up  potential  reliability  prob¬ 
lem  areas  for  design  correction. 

•  As  a  monitoring  tool  for  the  assessment  of 
development  program  progress  toward  es¬ 
tablished  goals,  to  predict  and  circumvent 
oncoming  problems  before  the  hardware 
stage. 


5-2  STEP-BY-STEP  PROCEDURE 


5-2-1.  Basic  Considerations 

Design  reliability  assessments  can  be 
divided  into  two  phases: 

•  The  conceptual  or  design  proposal  phase  — 
in  which  a  prediction  is  based  on  the 
design  "concept”  as  reflected  in  develop¬ 
ment  specifications  and  early  design  docu¬ 
mentation. 


5-2-2.  Specific  Procedural  Steps 

Step  1  _  Define  *he  System  or 

-  Equipment. _ 

Develop  functional  block  diagrams  for 
the  complete  system  to  the  depth  that  design 
information  is  firm.  Define: 

•  Boundary  conditions  —  input/output  and 
interface  characteristics. 


•  The  design  or  development  phase  -  in 
which  predictions  are  based  on  the  actual 
"implemented”  design. 

In  either  case  the  procedure  for 
estimating  design  reliability  is  the  same. 
Application  of  the  procedure  will  vary  only  to 
the  extent  of  increasing  availability  of  de¬ 
tailed  design  information  as  the  program  ad¬ 
vances  from  phase  to  phase. 


•  Environmental  and  "use”  factors. 

•  Operating  modes  and  functions,  mission 
profiles,  and  duty  cycles. 

•  Success  and  failure  criteria  —  performance 
tolerances  and  degradation  limits. 

•  Physical  constraints  —  space,  weight,  and 
configuration. 
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As  an  example,  to  illustrate  this  and 
succeeding  steps,  consider  a  design  proposal 
for  an  airborne  integrated  electronic  central 
(comparable  to  AN/ASQ-19).  The  equipment 
is  to  provide  complete  communication- 
navigation-identification  (CNI)  functions  for 
the  aircraft  in  which  it  is  to  be  installed. 


Five  functions  are  to  be  performed: 

(1)  Communications  (COMM) 

(2)  Direction  Finding  (ADF) 

(3)  Intercommunication  (AIC) 

(4)  TACAN  (TACAN) 

(5)  Identification  (IFF) 


Equipment  boundaries  for  reliability  assess¬ 
ment  purposes  will  be  at  the  following  points: 

Aircraft  primary  power  terminals; 
Antenna  terminals,  except  ADF; 
Compass  synchro  transmitter  ter¬ 
minals; 

Push-to-talk  microphones  and  head¬ 
sets  (part  of  flight  suit); 
Cooling  air  supply  output  duct; 
Equipment  mounting  bases. 


Physical  characteristics  will  be: 

Power:  Not  to  exceed  400W  average 
drain  on  aircraft  primary 
supply. 

Weight:  Not  to  exceed 200  lbs.,  with 
individual  component  less 
than  50  lbs. 

Space:  Not  to  exceed  3.5  cu.  ft., 
within  specified  di¬ 
mensions. 


Performance  characteristics  will  be: 
Communications: 

Receiver  Transmitter: 

Power  output: 

20W  average,  I6W  minimum 

Modulation: 

AM 

Frequency  coverage: 

1750  channels,  225  to  400  MC  (19 
preset  channels) 

Guard  channel  (preset): 

243  MC 

Auxiliary  Receiver: 

20  preset  channels,  265  to  284.9 
MC,  including  guard  channel 

Navigation: 

TACAN: 

126  preset  channels  in  range  962 
to  1213  MC 

Bearing  accuracy  ±0.7  degree 
Range  0  to  196  nautical  miles 
Range  accuracy  ±0.1  mile  ±  .1% 
of  distance  reading 


ADF: 

Receive  over  range  of  225  to  400  MC 


Identification: 

IFF: 

Power  output: 

+27  (±3)  dbw  on  1090  MC 

Receiver  trigger  level: 

-79  dbv  on  1030  MC 

Modes: 

Mark  X  and  SIF 
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J 


Figure  5-1.  Simplified  Block  Diagram  of  Integrated  CNI  System 
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Mission  profile  will  be: 

The  complete  equipment  must  be 
capable  of  operating  without  failure 
throughout  a  3-hour  mission,  with  a 
probability  of  .9.  During  this  3-hour 
period,  the  transmitter  duty  cycle  will 
be  1/3  (5  minutes  on/10  minutes  off). 
All  other  equipment  must  be  operational 
100%  of  the  time.  Failure  of  any  of  the 
functions  will  be  classed  as  an  equip¬ 
ment  failure  in  the  primary  mode. 
Alternate  mode  capability  shall  be  pro¬ 
vided  for  guard  channel  monitoring,  and 
for  navigation  by  ADF  in  event  of 
TACAN  failure.  Centralized  CN1 
controls  shall  be  provided  for  pilot  and 
radar  observer.  These  can  be  con¬ 


sidered  redundant  so  long  as  the  AIC 
function  is  operational. 

A  simplified  functional  block  diagram 
fulfilling  the  requirements  of  the  above  per¬ 
formance  description  is  shown  in  Figure  5-1. 


STEP  2 


Develop  the  Reliability  Block 
Diagram. _ 


Continuing  with  the  CNI  example,  the 
navigation  function  will  be  used  to  illustrate 
a  design  assessment  of  reliability  status. 
Figure  5-2  is  the  overall  reliability  block 
diagram  with  the  navigation  function  high¬ 
lighted. 


r - 1 

•I  '»  !- 


IFF 


AIC 


Figure  5-2.  Reliability  Block  Diagram  for  the  Navigation  Function  (CNI) 
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The  reliability  model  for  Figure  5-2 
is  derived  as  follows: 


Thus, 
^NAV  = 


^NAV  =  ^1^2^3^'^ADF^TACAN^ 


(l-[l-R6R8(R4+R5-R4R5)][l-R9l) 


where  Oadf=U-Radf) 

is  the  probability  of  ADF  failure;  and 

QtACAN  =  U “ ^TACAN^ 

is  the  probability  of  TACAN  failure. 


^ut  ^ADF  - 

=  R6^4+^5'^4^5^8 


STEP  3 


Determine  Parts  Population  for 
Each  Block. 


Compile  a  list  of  parts,  by  circuit 
symbol,  for  each  of  the  blocks  in  the  navi¬ 
gation  reliability  model  of  Figure  5-2.  As  an 
example,  consider  Block  5,  the  ADF  and 
auxiliary  receiver. 


where  Q4  and  O5  arei  respectively ,  the  prob' 
abilities  of  receiver  failure,  i.e.: 

Q4  =  (l-R4) 

05  =  (1  •  R5> 


It  is  convenient  to  go  one  step  further 
in  block  diagramming,  if  the  proposed  design 
configuration  lends  itself  to  further  sub¬ 
division.  Assume,  for  example,  that  it  is 
proposed  to  design  the  receiver  using  four 
replaceable  modules  for  ease  of  maintenance, 
as  shown  in  Figure  5-3. 


r 


Figure  5-3.  Reliability  Diagram  of  ADF  Receiver 
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Within  the  RF  module,  the  AEG’s  proposed  by  the  designer  are  summarized  in  Figure  5-4. 
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Figure  5-5.  Port*  Count  for  the  Rocoivtr 


The  same  tabulation  would  be  extended 
to  other  modules  of  the  receiver,  resulting  in 
a  tabulation  of  parts  for  the  receiver  as  shown 
in  Figure  5-5. 

The  same  procedure  would  be  applied 
to  other  equipment  and  subsystems  used  in 
the  performance  of  the  ADF  and  TACAN 
navigation  functions,  to  produce  a  table  of 


equipment  parts  populations  in  the 
ADF/TACAN  Loop. 


STEP  4 


Determine  Appropriate 
-  Factors  and  “Base” 
Rate  for  Each  Part. 


Stress 

Failure 


As  pointed  out  in  M1L-STD-756A,  it  may 
be  necessary  in  early  design  assessments  to 


NAVWEPS  00-65-502 


5-2-2 


Figure  5-6.  Proposed  Circuit  Diagram  of  1st  RF  Stage 


apply  an  average  derating  or  stress  factor  to 
each  class  of  parts  on  the  basis  of  planned 
derating.  Later,  as  design  becomes  more 
definitive,  each  critical  part  should  be  in¬ 
dividually  evaluated  for  the  derating  factor 
actually  applied.  In  the  example  shown  in 
the  schematic  of  Figure  5-6,  the  1st  RF 
amplifier  of  a  proposed  ADF  receiver  RF 
module  will  be  analyzed  by  an  average  stress 
level  applied  to  all  parts  classes  except 
critical  parts  which  carry  heavy  currents  or 
dissipate  a  relatively  large  amount  of  power 
with  respect  to  ratings  -  e.g.,  tubes,  tran¬ 
sistors,  relays,  and  motors. 

MIL-HDBK-217  will  be  used  *o  deter¬ 
mine  failure  rates  under  the  stress  conditions 
anticipated  in  each  application.  The  example 
chosen  to  illustrate  the  procedure  assumes 
design  using  either  transistors  or  tubes  as 
active  elements.  Micromodules  are  discussed 
separately  in  another  subsection. 


Detailed  procedures  used  in  the  stress 
analysis  are  presented  here  to  illustrate  the 
general  method: 


j  Transistor  Q1 

(• 1  )  Determine  Circuit  Operating  Conditions 
for  Transistor  Application,  QL _ 

Silicon  Transistor  Type  2NXXXX: 

Ambient  Temperature  =  75°C 

Average  Ip  =  5mA 

Average  V(.  ^  =  9V 

Power  Dissipation  =  .005  x  9 

=  .045  watts 

Specification  Ratings: 

Rated  Dissipation  =  150  mW 
Derating  Interval  =  25°C  to 

150°C 
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Determine  Normalized  Temperature 
Ratio  from  the  Following  Equation 

~  Tactual  *  Trale<j 


© 


Determine  Normalized  Stress  Ratio. 

Applied  Dissipation  _  45  _  ^ 

Rated  Dissipation  150 


75-25  _  50  _  , 

"  150  -  25  ‘  125  " 

The  normalized  temperature  ratio  repre¬ 
sents  that  proportion  of  maximum  rated 
dissipation  used  by  the  excess  of  the 
particular  ambient  temperature  over  the 
temperature  at  which  derating  starts. 
This  relationship  is  shown  in  Figure  5-7. 


Entering  the  chart  shown  in  Fig  ore  5-8 
(Figure  14B  of  MlL-HDBK-217)at  a  nor¬ 
malized  temperature,  Tn  =  .4,  proceed 
to  the  stress/ failure  rate  curve  marked 
.3,  corresponding  to  the  wattage  ratio. 
The  estimated  average  catastrophic 
failure  rate  for  transistors  in  an  appli¬ 
cation  of  Q1  severity  is  indicated  as 
.52  x  10*6  failures  per  hour. 


TEMPERATURE  DERATING  NTERVAL 


Figure  5-7.  Dissipation  Derating  Curve  as  a  Function  of  Part 
Ambient  Temperature,  for  Transistor  Q1 
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Electron  Tubes 


Stress  Derating  Factor 


2.4 


3.3 


=  .72 


O  Determine  Circuit  Operating  Conditions  Heater  Voltage  Derating: 
for  the  Tube  as  Shown  in  Figure  5-9. 

Circuit  Ef 

Total  Dissipation  Derating:  Rated  E{ 

Heater  Derating  Factor  kf 

Plate  Dissipation  =  8  mA  x  130  V  =  1.04  watts 
Screen  "  =  2mAxl30V=  .26  watts 

Heater  "  =175mA  x6.3  V  =  l. 10  watts  Temperature  Derating: 


6.3 

6.3 

1.0 


Total  Dissipation  2.40  watts 

Rated  Dissipation  (M1L-E-1B)  3.3  watts 


Estimated  Bulb  Temp. 
Rated  Bulb  Temp. 
Temperature  Derating  kt 


=  165°C. 
=  165°C. 
=  1.0 


CURRENT, 


FROM  PROPOSED  DESIGN 
OF  FIGURE  5-6 


FROM'  MIL-HDBK-2 1 1 


U 


Figure  5-9.  Modifications  Necessary  for  Electron  Tube  AEG’s 


1/  “Techniques  for  Application  of  Electron  Tubes  in 
Military  Equipment",  Government  Printing  Office. 
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5-2-2 


©  Determine  Base  Failure  Rate. 

From  Table  IV,  MIL-HDBK-217, 

Receiving  type  Pentodes: 

“Base”  Failure  Rate,  B  =0.3%  per  1000 

hours 

=  3.0  x  10*6  failures/ 
hour 


justment  factor  for  a  dissipation  ratio  of  .72 
and  a  temperature  ratio  of  1.0  (at  165°  C). 
The  dissipation  adjustment  factor,  kd=.82. 


Compute  Adjusted  Base  Failure  Rate 
for  the  Particular  Application. _ 


Determine  Adjustment  Factors. 


Ab  =  ktk{kdB  =  (1.0X1. 0)(. 82X3.0  x  10~6) 


From  Figure  8B  of  MIL-HDBK-217,  as  shown 
in  Figure  5-10,  determine  the  failure  rate  ad- 


=  2.46  x  10*6  failures  per  hour 
for  Tube  V-l 


60  80  100  120  140  160  180  200°C 

BULB  TEMPERATURE 


Figure  5-10.  Temperature  Derating  Curves  for  Electron  Tubes 
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Resistors,  Capacitors,  and 
Other  “Passive"  Parts 


The  „ie  procedure  is  illustrated  now 
for  the  resistor  population  in  the  circuit, 
using  Figure  20B  of  MIL-HDBK-217 
shown  in  Figure  5-11.  Resistors  are 
found  to  be  operating  at  50%  of  dis¬ 


sipation  rating  from  the  stress  analysis, 
using  Ohms  Law:  P  =  E2/R.  Part 
ambient  temperature  is  estimated  to  be 
80°C.  Base  failure  rate  from  the  chart, 
is  then  .01%  per  1000  hours,  or.l  xlO"6 
failures  per  hour,  for  each  resistor,  on 
the  average .  Total  catastrophic  failure 
rate  of  resistors  in  the  circuit  is  then 
3  x.l  x  10'6  =  .3  x  10*6  failures  per 
hour.  Other  passive  parts  in  the  circuit 
would  be  treated  similarly. 


Figure  5-11.  Temperature/Wattage  Derating  of  Resistors 
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Computation  of  Module  or  Unit  the  designer  proposes  the  use  of  subminiature 

Failure  Rate. _  electron  tubes,  the  predicted  failure  rate  for 

the  1st  RF  stage  is  3.66  x  10*6  failures  per 
Figure  5- 12  summarizes  the  stress  and  hour, 
failure-rate  analysis  just  conducted  for  the 

1st  RF  amplifier  stage.  For  the  transistorized  The  same  procedure  would  now  be 

version,  a  predicted  base  failure  rate  of  applied  to  all  other  AEG’s  within  each  module 
1.66  x  10"6  failures  per  hour  is  shown.  If  to  yield  an  estimated  module  failure  rate. 


Part 

Total 

Dissipation 

Use 
Stress 
F  actor 
Actual/ 
Rated 

Temp.°C 

Temp. 

Stress 

Factor 

FRx 

io-6 

Per 

Part 

No. 

Parts 

F.R. 

Per 

Class 

Page 

Reference 

MIL- 

HDBK217 

Rated 

Actual 

Rated 

- 1 

Actual 

Transistor  Q1 
(or  TubeV-1) 

l50mW 

[3.3W) 

45 

(2.4W) 

.3 

(.7) 

150 

(165) 

75 

(165  est) 

.4 

(1.0) 

.52 

(2.46) 

1 

(1) 

.52 

(2.46) 

49 

(15) 

Resistors: 

MIL-R-11C 

.5 

80 

.1 

3 

.3 

79 

avg. 

Capacitors 

Fixed: 

MIL-C-5B 

Voltage 

.5 

80 

.06 

4 

(5) 

.24 
(.3  ) 

109 

Variable: 

JAN-C-92A 

80 

.1 

2 

.2 

183 

Inductors: 
MIL-G-15305A 
(Class  C, 
grade  2) 

80 

.1 

4 

.4 

133 

TRANSISTOR  AEG  1-66 

TOTAL  BASIC  FAILURE  RATE,  1st  RF  STAGE  TUBE  AEG  (3.66) 


Note:  Numbers  shown  parenthetically  apply  to  RF  amplifier  AEG  using 
electron  tubes  instead  of  transistors. 


Figure  5-12.  Stress  Analysis  of  Parts  in  1st  RF  Amplifier  AEG 
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|  -  Determine  Subsystem  or  Equip¬ 
ment  Failure  Rate. 


At  this  point,  the  “base”  AEG  failure 
rates  are  combined  within  modules,  for  an 
estimated  module  base  failure  rate.  Failure 
rates  of  modules  are  then  added  for  an  equip¬ 
ment  base  failure  rate.  For  example,  if  the 
procedure  of  Step  4  were  extended  to  all  other 
AEG’s  and  modules  within  the  ADF  receiver, 
the  following  table  might  result: 


Module 

RF 

Guard 

IF 

Audio 

Total  Receiver 


Base  Failure  Rate  x  10"6 


81  x  10-6 


Correct  for  “Use”  Environment. 

It  is  now  necessary  to  correct  for  gross 
“use”  environment  using  k  =  6.5  from 
MIL-STD-756A. 


Airborne  base  failure  rate  for  the  re¬ 
ceiver  is  then: 


Ar  =  6.5  x  81  x  10*6 


© 


=  526.5  x  10*6 

This  is  the  failure  rate  to  be  expected 
of  the  airborne  ADF  receiver  due  to 
catastrophic  part  failures. 

Correct  for  Tolerances  and  Interactions. 

It  is  next  necessary  to  adjust  the 
estimated  parts  failure  rate  by  a  com¬ 
plexity  factor  that  relates  part  failures 
to  equipment  failures.  This  factor  is 
derived  from  Figure  5-13.  Entering  the 
figure  at  N  =  19  (the  estimated  com¬ 
plexity  of  the  proposed  receiver  de¬ 
sign),  read  off  Kc  =  2.6. 

Predicted  failure  rate  of  the  receiver 
due  to  all  causes,  catastrophic  and 
tolerance,  is  then  given  by 

Ao  =  526.5  x  10'6  x  2.6 

=  1370  x  10*6  failures/hour 

of  which  the  catastrophic  failures 
account  for  38%. 


CORRECTION  FACTOR 
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5-2-2 


Figure  5-13.  Correction  Factor  for  Tolerance  Failures  in  Avionics  Equipment 

Kc  « (N)-33 


Determine  Subsystem  or  Equip-  1  1 

ment.MTBF  and  Reliability. -  MTBF  =  Failure  Rate  =  1370  ~  10.6 

The  ADF  receiver  should  have  the 

following  mean  life:  =  730  hours 


STEP  7 
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Reliability  for  a  3-hour  mission  from 
the  nomographs  shown  in  Appendix  3,  or 
from  the  expression  R  •  e-i/MTBF,  is; 

R=e.3/730  =e-.004  =  996 


Combine  Equipments  or  Sub- 
STEP  8  —  systems  of  the  System  or  its 

Individual  Functions. _ 

Continuing  with  the  navigation  function 
of  Figure  5-2,  the  following  table  might  result 
from  the  completed  parts  stress  analyses  and 
reliability  estimates  given  in  the  preceding 
steps: 

Equipment  Reliability  (3  hours) 

1  .980 

2  .999 

3  .999 

4  .992 

5  .9% 

6  .999 

8  .990 

9  .900 

Substituting  in  the  reliability  model 
previously  derived  in  Step  2, 

^NAV  =  ^1^2R3 

(l  -  [1  -  R6R8(R4+R5-R4R5)K1  -  R91 ) 
=  (.98X.999X.999) 

(l  -  [1  -  <.999)(.99)(.9999)][1  -  .9]) 

=  .977 

This  is  the  probability  that  either  the 
ADF  or  TACAN  will  remain  operational 
throughout  the  3-hour  mission. 
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Primary  mode  navigation  reliability 
(probability  that  both  ADF  and  TACAN  will 
remain  operational  throughout  the  3-hour 
mission)  is  simply  the  product  of  all  reliability 
values  in  the  table,  i.e.: 

^NAV  =  ^1^2^3^4+^5“^4^5^6^8^9 

=  .871 

The  reliability  of  each  of  the  other 
functions  is  estimated  by  the  same  procedure 
as  that  outlined  in  the  preceding  steps,  using 
estimates  for  the  following  additional  blocks: 

R7  =  .95 

Rio  = 

For  example,  IFF  reliability  for  three 
hours  is  given  by 

Riff  =(h,)-(R,o)=(98H93)=.91 

Overall  equipment  reliability  -  all  CN1 
functions  operational  —  is  now  the  product  of 
the  reliabilities  of  all  functions,  including 
R7  and  R10,  yielding: 

^CNI  =  ,769 

The  nomograph  indicates  that  the 
mean-time-between  failures  in  the  CNI  system 
will  be: 

MTBF  =  11.7  hours 

Stress  analysis  thus  indicates  to  the 
designer  that  an  improvement  of  somewhat 
better  than  2-to-l  will  be  needed  to  meet  the 
specified  requirement  of  Rqni  =  .9  which  cor¬ 
responds  to  an  MTF  =  30  hours. 

Further  derating  of  parts  and  possible 
use  of  redundancy  in  critical  elements  may 
be  necessary. 
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5-3-1  to  5-3-2 


5-3  CONSIDERATIONS  IN  THE  USE  OF  REDUNDANCY 
AND  MICRO-ELECTRONICS  FOR  RELIABILITY  IMPROVEMENT 


5-3*1.  “Micro"  Characteristics 

The  preceding  step-by-step  procedure 
is  applicable  to  designs  employing  micro¬ 
electronic  modules,  to  the  extent  that  failure 
data  sources  are  now  adequate.  This  is  a 
limitation  which  will,  of  course,  disappear  as 
data  from  life-tests  and  field  service  are  ac¬ 
cumulated.  In  the  interim,  it  is  well  to  be 
conservative  in  estimating  micro-module  AEG 
failure  rate,  in  order  to  insure  that  the  design 
adequacy  of  an  equipment  is  closely  related 
to  the  probable  reliability  growth  character¬ 
istics  of  the  micro-electronics  program,  rather 
than  to  be  contingent  on  long-range  objec¬ 
tives  that  may  not  be  realized  for  some  time. 
If  a  conservative  approach  is  used,  the  equip¬ 
ment  design  can  be  expected  to  exhibit  an 
inherent  reliability  “safety”  margin  propor¬ 
tional  to  the  difference  between  the  conserv¬ 
ative  estimate  based  on  current  data  and  the 
finally  achieved  long-range  goals. 


While  micro-electronic  modules  can  be 
expected  ultimately  to  surpass  their  conven¬ 
tional  circuit  counterparts  in  consistently 
exhibiting  high  inherent  reliability,  two 
micro-module  characteristics  other  than  re¬ 
liability  will  probably  have  the  greater  effect 
in  increasing  equipment  reliability  in  the  im¬ 
mediate  future.  These  characteristics  are 
the  small  volume  and  low  power  consumption 
of  the  micro-module,  which  make  it  readily 


adaptable  to  multiple  redundant  design  con¬ 
figurations. 


When  redundancy  is  involved,  the 
reliability-assessment  procedure  outlined 
above  should  be  expanded  to  provide  a  deeper 
failure-mode  analysis  at  the  part  and  element 
levels,  as  well  as  at  the  module  level,  in 
order  to  permit  a  proper  evaluation  of  the 
feasibility  of  operational  redundancy  as 
against  standby  redundancy. 


The  following  analytical  steps  would 
be  taken  in  micro-electronic  design  formula¬ 
tion,  and  in  assessing  the  reliability  achieved 
in  a  given  design  configuration. 


5-3-2.  Specific  Procedural  Steps 


STEP  1 


Evaluate  Failure  Modes  and 
Effects. 


Determine  the  effects  on  circuit  per¬ 
formance  of  module  failure  in  each  of  the 
module’s  possible  failure  modes.  Failures 
can  be  grouped  into  three  broadly  defined 
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modes  (illustrated  in  Figure  5-14)  having 
certain  general  failure  effects  at  the  circuit 
function  level: 


Tolerance  Mode  — 

resulting  in  circuit’s  failure  to  stay 
within  tolerance  limits. 


Short  Mode— 

usually  resulting  in  catastrophic 
loss  of  circuit  function. 


Open  Mode  — 

generally  resulting  in  catastrophic 
loss,  extreme  degradation,  or  “run¬ 
away”  of  circuit  function. 


FAR.URC  CAUSES 


OF  FARTS 
OF  MATERIALS 


FAILURE  ffFECTS 


Figure  5-14.  Failure  Modes  in  a  Micro-Module 


Evaluate  Failure  Cause  and 
Frequency,  by  Mode. 


Determine  the  relative  frequency  of 
each  failure  mode  with  respect  to  known 
failure  causes  and  anticipated  conditions  of 
use.  Assume  that  the  ADF  receiver  of  the 
proposed  CN1  system  is  to  be  “micro- 


modularized”  to  the  fullest  practicable  ex¬ 
tent.  Consider  the  1st  RF  Amplifier  stage 
analyzed  in  Step  4  of  Section  5.2.  Under  the 
proposed  conditions  of  use  (compartment  tem¬ 
perature  ambients,  vibration  levels,  etc.),  it 
has  been  determined  by  laboratory  evaluation 
of  RF  modules  that  the  relative  frequency  of 
failure  in  these  general  modes  is  as  shown  in 
Column  V  of  Figure  5-15. 
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USE 

\] LEVEL 

MODE 

I 

II 

III 

IV 

V 

Open 

10 

15 

20 

20 

25 

Short 

10 

20 

25 

30 

40 

Tolerance 

80 

65 

55 

50 

35 

All  Modes 

100 

100 

100 

100 

100 

Relative  by 

Stress  Level 

2 

3 

5 

8 

10 

1  to  10 

NOTE:  All  figures  in  this  table  are  hypothetical,  to  illustrate  methods.  Such  in¬ 
formation  should  ultimately  become  available  in  the  form  of  module  appli¬ 
cation  notes  as  the  program  progresses. 


Figure  5-15.  Failure  Mode  Analysis 


Evaluate  Design  Configuration 
_  Requirements  for  Protection 
Against  Predominant  Failure 
Modes. 


In  general,  the  following  protective 
measures  become  practicable  in  micro-module 
design  configurations: 

•  To  protect  against  predominantly 
“open”  failure  modes,  use  parallel 
redundant  modules,  with  suitable  fusing 
and  decoupling  circuitry  to  further 
protect  against  the  eventuality  of 
failure  in  the  short  mode. 


modules,  with  suitable  bypass  pro¬ 
tection  against  possible  open  modes 
(if  warranted). 

•  To  protect  against  predominantly 
“tolerance”  modes,  use  parallel  con¬ 
figuration  if  the  characteristics  of 
importance  vary  in  a  random  fashion  — 
i.e.,  if  the  mean  of  these  variabilities 
is  approximately  zero.  If  the 
characteristic  of  importance  (e.g., 
voltage  gain  of  the  1st  RF  stage) 
always  varies  in  one  direction  —  i.e., 
deteriorates  with  time-use  series 
redundant  modules  with  negative  feed¬ 
back  stabilization. 


•  To  protect  against  predominantly 
“short”  modes,  use  series  redundant 


These  configuration  possibilities  are 
shown  in  Figure  5-16. 


5-3-2 


NAVWEPS  00-65-502 


x 


I  I  1  SHORT  MODE  PROTECTION 


TOLERANCE  MODE  PROTECTION 


Qt  IS  A  FUNCTION  OF  B, 

THE  FEEDBACK  CHARACTERISTIC 

Figure  5-16.  Failure  Mode  Block  Diagram  for  Possible  Micro-Electronic  Modules 


*  ctpp  T  I  Evaluate  Circuit  Configuration 
-  for  Overall  Reliability. _ 


open-mode  or  a  short-mode  failure  is 
likely  to  occur.  Figure  5-17  is  a  simplified 
block  diagram  to  illustrate  the  derivation  of 
the  basic  reliability  model  for  the  circuit: 


As  an  example,  consider  the  1st  RF 
amplifier  as  a  micro-module  quad  in  which 
inverse  feedback  has  been  applied  to  reduce 
the  conditional  probability  of  tolerance 
failure  to  essentially  zero  during  the  mission 
period.  Under  this  assumption,  only  an 


qx  is  the  probability  of  micro-module 
failure  in  an  open  or  short  mode. 

qx  =  qx  open  +  qx  short 
=  1  *  R*(t> 
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5-3-2 


Figure  5-17.  Reliability  Model  for  1st  RF  Amplifier  Quad 


where 

Rx(t)  is  the  reliability  of  a  micro¬ 
module  for  period  of  time  t. 

Probability  of  short  in  Leg  A 

-  q*  a2 

Probability  of  short  in  both  legs 

-  P.  -  l  -  fl  -  q*»2l 

Probability  of  open  in  Leg  A 

“  q*o(2  -  o) 

Probability  of  open  in  both  legs 
*  Po  ™  [q«o(2  —  q»0)l2 

Reliability  of  the  quad  is  then 
R  -  1  -  P„  -  P0 

-(l-qxs2)2-[qxo(2-qXo)]2 

Assume,  for  example,  that  qxo  »  qX8  =  .001 
for  each  of  the  four  modules  based  on  a 
reliability  Rx(t)  =  .998  at  t  •  1000  hours. 


Then, 

R(t),  for  the  quad 

=  [1  -(.001)2]2  _  [.001(2  -  -001)]2 

=  .999994 

This  is  equivalent  to  approximately  a  300-to-l 
improvement  in  failure  rate  over  the  1000-hour 
period. 


A  full  treatment  of  redundancy  becomes 
quite  complex,  but  can  be  evaluated  graph¬ 
ically,  if  MIL-HDBK-217  is  used  as  a  guide. 
The  analytical  results  are  still  to  be  con¬ 
sidered  theoretical,  however,  until  they  are 
verified  in  design  testing.  It  is  the  purpose 
here  simply  to  indicate  the  potential  gains  to 
be  achieved  in  equipment  reliability  when  the 
techniques  of  redundancy  are  applied  to  de¬ 
signs  in  which  micro-electronic  modules  are 
used  as  the  basic  building  blocks. 

The  remaining  steps  of  the  assessment 
procedure  are  the  same  as  those  given  at  the 
beginning  of  this  section,  the  goal  being  to 
build  up  estimates,  block  by  block,  until  the 
entire  equipment  estimate  is  developed. 
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CHAPTER  6 

DEVELOPMENT  TESTING  AND  TEST  DESIGN 


6-1  INTRODUCTION 


6-1-1.  An  Empirical  Design  Technique 

Achievement  of  high  “inherent  re¬ 
liability’’  is  a  growth  process  dependent  on 
the  degree  to  which  design  has  been  guided 
and  verified  by  reliability  testing  —  the 
extent  to  which  testing  has  been  used  as  a 
means  of  “designing  in’’  reliability  during 
the  early  formative  stages  of  development. 

Development  testing  can  be  defined 
generally  as  an  empirical  technique  used  to 
generate  information  that  is  not  otherwise 
readily  obtainable  because  of  the  inadequacy 
of  applicable  theory  or  the  relative  difficulty 


of  achieving  a  theoretical  solution.  As  it 
applies  to  the  evolutionary  growth  of  a  weapon 
system,  the  definition  of  development  testing 
must  also  embrace  the  need  for  “proof’’  of  a 
theoretical  solution  — even  when  the  adequacy 
of  the  applicable  theory  is  not  in  question. 
The  need  for  proof  stems  from  a  very  practical 
management  need  for  a  measure  of  confidence 
in  the  results  being  achieved  in  the  develop¬ 
ment  program,  long  before  hardware  items  are 
produced  for  delivery  to  the  Fleet.  At  later 
stages  in  the  production  cycle,  development 
tests  are  supplemented  by  qualification  and 
acceptance  tests  in  order  to  strengthen  con¬ 
fidence  in  the  design  and  manufacture  of  the 
product. 
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Development  tests  are  employed  by  the 
designer  to  evaluate  the  adequacy  of  his  de¬ 
sign  and  to  point  out  its  weaknesses.  As 
indicated  above,  such  tests  may  be  thought 
of  as  design  techniques,  in  that  test  results 
are  applied  directly  to  the  problem  of  design 
refinement.  At  the  same  time,  development 
tests  provide  management  with  a  finger-on- 
pulse  awareness  of  design  status  with  respect 
to  program  requirements.  Thus,  the  “outputs” 
of  a  well-planned  development  test  program 
become  important  “inputs”  to  the  manage¬ 
ment  monitoring  program.  This  development 
test  feedback  cycle  is  illustrated  in 
Figure  6-1. 

Qualification  tests  aic  employed  to 
provide  a  formal  evaluation  of  development 
progress  as  well  as  assurance  that  specified 
requirements  for  one  phase  of  the  develop¬ 
ment  program  have  been  satisfied  before  the 
next  phase  is  embarked  upon.  For  example, 
such  tests  are  used  to  qualify  the  design  for 
prototype  development;  to  qualify  the  proto¬ 
type  for  pilot  production;  or  to  qualify  the 
preproduction  model  for  full-scale  production. 

The  reliability  achieved  during  de¬ 
velopment  is  monitored  through  acceptance 
tests,  which  are  employed  to  assure  continued 
controlled  compliance  with  specification  re¬ 
quirements.  Acceptance  tests  are  discussed 
in  detail  in  Chapter  7. 


6-1-2.  Reliability  Test  Objectives 
in  Development 

The  foregoing  discussion  introduced 
the  general  concept  of  development  testing 
as  an  empirical  design  technique,  a  tool 
used  by  the  designer  to  assure  that  the  basic 
design  has  an  inherent  capability  for  meeting 
all  the  requirements  of  the  design  specifi¬ 
cation,  including  performance,  maintainability, 
safety,  reliability,  and  other  factors. 


When  properly  planned  for,  much  of  the 
development  testing  conducted  for  performance 
information  can  be  made  to  yield  simul¬ 
taneously  the  desired  amount  of  reliability 
information  with  very  little  alteration  in  test 
plans.  In  other  instances,  there  is  no  alter¬ 
native  but  to  design  and  conduct  a  test  purely 
for  reliability  investigation  or  verification 
purposes.  Certain  fundamentals  of  test  de¬ 
sign  must  be  understood  and  translated  into 
“reliability  test”  design  criteria,  regardless 
of  whether  the  reliability  test  is  an  investi¬ 
gative  or  exploratory  test  (test  of  inquiry); 
or  a  verification  or  comparison  test  (test  of 
hypothesis). 


In  the  investigative  test,  an  experiment 
is  designed  to  formulate  a  hypothesis  about 
the  reliability  of  a  product  or  process;  e.g., 
to  determine  the  failure  mode  of  a  new  part 
being  considered  for  use  in  the  design,  under 
stress  conditions  anticipated  in  the  design, 
or  to  determine  the  interactions  among  several 
variables  in  a  proposed  design  configuration. 
On  the  basis  of  test  results,  a  hypothesis 
concerning  cause/effect  relationships  is 
formulated  for  design  guidance,  pending 
verification  by  the  second  type  of  test. 


B.  The  Verification  Test 

A  verification  test,  on  the  other  hand, 
is  designed  to  verify  a  hypothesis  con¬ 
cerning  the  reliability  behavior  of  a  product 
or  process.  A  verification  test  is  frequently 
used  to  compare  a  measurement  of  MTBF 
achieved  in  development  against  an  earlier 
MTBF  predicted  in  design,  to  verify  the  pre¬ 
diction  hypothesis. 


A.  The  Investigative  Test 
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6-1-3.  Test  Procedures 

Reliability  test  methods  applicable  in 
the  development  phase  are,  in  general, 
“designed  experiments”  —  test  conditions 
and  methods  of  data  analysis  are  preplanned 
on  the  basis  of  engineering  requirements  and 
statistical  considerations.  Whether  the  test 
is  designed  for  investigation  or  for  verifi¬ 
cation,  the  following  cycle  must  be  com¬ 
pleted  if  effective  and  unbiased  results  are 
to  be  expected: 

•  Define  the  Problem 

•  State  Test  Objectives 

•  Establish  Test  Requirements 

•  Design  Test 

•  Implement  Test 

•  Analyze  Results 


6-1-4.  Test  Design  Consideration 

The  design  and  implementation  of  a 
development  test  program  must  weigh  and 
balance  the  seldom  compatible  engineering, 
statistical,  and  administrative  requirements 
deemed  essential  for  satisfying  the  test 
objectives. 


•  Statistical  requirements  relate  to  the 
desired  accuracy  of  results,  the  order  and 
manner  of  selection  and  testing,  and  the 
confidence  which  can  be  placed  in  the 
decisions  made. 

•  Administrative  requirements  pertain  to 
practical  limitations  on  time,  funds,  and 
facilities  which  may  necessitate  com¬ 
promises  in  engineering  and  statistical 
criteria. 

To  optimize  test  design  with  respect 
to  these  often  conflicting  requirements, 
consideration  may  be  given  to  the  relative 
advantage  of  smaller  sample  sizes  and 
longer  test  times  over  larger  sample  sizes 
and  shorter  test  times.  The  feasibility  of 
accelerating  test  conditions  in  order  to 
induce  more  failures  may  be  considered 
when  the  effects  of  such  accelerated  con¬ 
ditions  on  failure  modes  are  known .  Al¬ 
though  the  effects  of  accelerated  test 
conditions  on  parts  failure  modes  and  rates 
are  fairly  well  known  in  certain  instances, 
it  is  generally  not  feasible  to  translate 
these  effects  into  predictions  of  component 
and  equipment  failure  behavior. 

Consideration  may  also  be  given  to  a 
sacrifice  in  the  required  test  confidence, 
thus  permitting  a  reduction  in  sample  size  or 
time  requirements,  in  order  to  conform  to 
existing  administrative  limitations.  This  is 
always  permissible  on  the  grounds  that  a 
test  designed  around  a  relatively  low  level 
of  confidence  is  always  better  than  no  test 
at  all! 


•  Engineering  requirements  dictate  the  en-  In  the  following  paragraphs,  pro- 

vironmental  stress  levels,  duty  cycles,  cedures  are  outlined  for  design  and 

range  of  applications,  and  performance  application  of  those  test  methods  which 

limits  used  to  define  success  or  failure  of  have  wide  application  in  the  solution  of 

the  item  under  test.  In  general,  test  con-  reliability  problems  during  design  and  devel- 

ditions  must  be  representative  of  those  opment.  The  nature  of  the  problem  will 

anticipated  in  use  if  an  acceptable  basis  determine  which  of  the  general  test  cate- 

for  decision  is  to  result.  gories  will  apply. 
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6-2  TESTS  OF  INQUIRY 


6-2-1.  Basic  Types 


6-2-3.  Procedural  Steps 


Tests  of  inquiry  applied  to  reliability 
problems  are,  in  general,  divided  into  two 
categories: 

(1)  Measurements  tests  - 

those  designed  to  measure  the 
reliability  of  an  item. 

(2)  Evaluation  tests  - 

those  designed  to  evaluate  rela¬ 
tionships  between  environments  or 
stresses  and  parameters  which 
influence  reliability  (or  failure 
rate)  of  the  item. 

Examples  of  the  design  and  application  of 
each  of  these  are  given  in  the  following 
paragraphs. 

6-2-2.  Measurement  of  Reliability 

(Application  of  Confidence  Limits) 

Reliability  measurement  tests  should 
be  conducted  under  known  operating  con¬ 
ditions  —  ideally  closely  simulating  use 
conditions  to  be  expected  in  the  Fleet. 
The  operating  times  accumulated  and  the 
number  of  failures  observed  provide  the 
basis  for  measuring  reliability.  Confidence 
in  test  results  is  directly  related  to  the 
number  of  failures  which  are  observed  during 
the  test. 

A  test  of  inquiry  does  not  presuppose 
or  hypothesize  a  desired  reliability,  but 
rather  depends  upon  the  analysis  of  test 
data  to  obtain  the  observed  value.  The 
following  example  illustrates  the  procedure 
which  may  be  used  to  design  and  implement 
a  typical  measurement  test. 


STEP  1 


-  Define  the  Problem 


A  new  traveling  wave  tube  is  devel¬ 
oped,  and  prototype  models  are  available 
for  evaluation  by  prospective  users.  Char¬ 
acteristics  of  the  tube  suggest  its  use  in 
an  unmanned  ECM  application.  However, 
no  data  are  available  on  the  reliability  of 
these  tubes.  Therefore,  the  problem  is  to 
measure  the  reliability  of  the  traveling  wave 
tubes,  under  the  proposed  operating  con¬ 
ditions,  by  a  planned  test  program. 


STEP  2 


—  Establish  Test  Requirements 


Test  requirements  are  defined  as 
follows: 

“The  test  facilities  shall  duplicate 
the  estimated  operating  environments, 
electrical  stresses,  and  duty  cycles. 
Tube  characteristics  of  phase  shift, 
cathode  current,  and  helix  current 
shall  be  monitored.  A  tube  shall  be 
considered  to  have  failed  if  perform¬ 
ance  varies  outside  performance 
limits.  Momentary  surges  such  as 
'arcing',  which  are  self-sustaining  and 
discontinuance  of  which  requires 
removal  of  high  voltage,  shall  be 
considered  as  failures;  however,  if  the 
tube  involved  is  not  damaged,  it  may 
continue  in  test.  In  order  to  assure 
reasonable  confidence  in  test  results, 
the  test  shall  provide  sufficient 
operating  time  to  permit  the  accum¬ 
ulation  of  at  least  five  failures." 
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6-2-3 


STEP  3 


-  Design  the  Test 


It  is  possible  to  accumulate  controlled 
test  time  on  the  TWT’s  by  either  of  the 
following  two  methods: 


(1)  Fabrication  of  one  test  position 
and  testing  a  single  tube  at  a 
time  until  five  have  failed;  or 


MTBF  = 


Operate  Hours 
Number  of  Failures 


The  number  of  operate  hours  and 
failures  accumulated  during  the  TWT  test 
is  shown  in  Figure  6-3. 


Observed  MTBF  =  £122  =  917  hours 
7 


(2)  Fabrication  of  several  test 
positions  and  simultaneous 
accumulation  of  test  time. 


STEP  6 


Establish  Confidence  Limits 
on  the  MTBF 


It  is  determined  that  the  use  of  five 
test  positions  is  economically  feasible. 
Eight  tubes  are  procured  for  test  purposes 
so  that  a  tube  failing  in  any  one  of  the  five 
positions  can  be  replaced  by  one  of  the 
three  spares.  This  approach,  known  as  a 
“replacement  test",  is  chosen  in  order  to 
optimize  the  number  of  test  hours  which  can 
be  utilized  in  any  given  calendar  time. 
Administrative  restrictions  limit  the  test  to 
a  maximum  of  three  months,  operating  24 
hours  a  day,  five  days  a  week. 

Preparation  of  detailed  test  proce¬ 
dures,  data  recording,  and  data  analysis  are 
assigned  to  the  reliability  engineering 
group;  conduct  of  the  test  is  assigned  to  the 
test  department. 


STEP  4 


—  Implement  the  Test 


Figure  6-2  graphically  portrays  the 
test  period. 


STEP  5 


-  Analyze  Data 


The  following  equation  is  used  to 
determine  the  mean-time-between-failures 
(MTBF>: 


The  observed  MTBF  of  917  hours 
represents  the  best  estimate  of  TWT  mean 
life,  based  on  the  8-tube  sample.  Since  the 
917  hours  is  derived  from  a  small  sample, 
the  true  MTBF  for  the  population  of  tubes 
could  lie  either  somewhat  above  or  below 
this  estimate.  A  range  of  values,  within 
which  it  can  be  stated  with  90%  confidence  L/ 
that  the  true  value  will  fall,  is  established 
by  placing  the  90%  confidence  limits  (upper 
and  lower  estimates)  about  the  test  value 
of  917  hours.  These  limits  are  obtained  from 
Table  3-1  of  Appendix  3  of  this  handbook. 
By  entering  the  table  at  7  failures': 

Lower  90%  confidence  limit 

=  917  x  .591 
=  542  hours 

Observed  MTBF  =  917  hours 

Upper  90%  confidence  limit 

=  917  x  2.130 
=  1953  hours 

These  computations  are  plotted  on 
Figure  6-4. 


^  Anv  desired  degree  of  confidence  may  be  chosen 
and  corresponding  confidence  limits  derived; 
however,  90%  is  the  most  widely  used  level  for 
reliability  estimation. 
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TEST  POSITION  TUBE 
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Arcing-Tube  test  OK,  continued  in  test. 
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264 

Open  filament. 
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Low  cathode  current  (test  equipment  induced  failure) 
Tube  test  OK,  continued  in  test. 

C 

860 

Arcing  —  Tube  test  OK,  continued  in  test. 

D 

555 

Arcing— Tube  burned  out. 

E 

90 

Arcing-Tube  test  OK,  continued  in  test. 
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Phase  shift  out  of  tolerance. 
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Arcing-Tube  burned  out. 
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Phase  shift  out  of  tolerance  (test  equipment  error)- 
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No  failures. 

Figure  6-2.  Example  Test  Summary 


NAVWEPS  00-65-502 


6-2-4  to  6-2-5 


NAVWEPS  00-65-502 


6-2-4.  Evaluation  Tasts 

(Regression  Analysis) 

Part-to-part  variations  and  changes 
in  environmental  conditions  cause  corre¬ 
sponding  changes  in  circuit  or  equipment 
parameters,  such  as  output  power  or  voltage, 
frequency  stabilization,  and  failure  rate. 
Knowledge  of  the  relationship  which  exists 
between  two  variables  can  often  be  obtained 
through  a  planned  regression  analysis  test 
program. 

Regression  analysis  is  a  statistical 
technique  which  quantitatively  defines  the 
best  fitof  a  line  through  a  set  of  data  points, 
as  shown  in  Figure  6-5.  The  usual  “by-eye" 
engineering  procedure  is  improved  upon  by 
the  use  of  regression  analysis  in  the  deter¬ 
mination  of  the  constants  a  and  b  in  the 
regression  equation  of  Figure  6-5.  (Statis¬ 
tical  regression  analysis  may  be  extended 
to  many  variables  and  to  nonlinear  relation¬ 
ships.  However,  it  is  recommended  that 
this  be  attempted  only  under  the  guidance  of 
experienced  statisticians.) 


Figure  6-5.  Regression  Line  Through 
Observed  Values  of  Y  for  Given  Values  of  X 


6-2-5.  Procedural  Steps 

The  step-by-step  procedure  for  the 
design  and  analysis  of  a  simple  (2-variable) 
regression  application  follows: 


STEP  1 


—  Define  the  Problem 


A  turbo  jet  engine  is  experiencing 
blade-fatigue  failures  due  to  prolonged 
vibrations  at  resonance.  It  is  assumed  that 
resonance  occurs  at  steady-state  engine 
RPM.  The  problem  is  to  determine  if 
a  relationship  exists  between  bench- 
measured  blade  resonance  points  and  the 
actual  RPM  at  which  the  blade  reaches 
resonance.  If  such  a  relationship  is  es‘ 
lished,  it  might  be  possible,  by  bench 
measurement,  to  determine  the  acceptability 
of  blades  for  actual  engine  use,  thereby 
reducing  or  eliminating  this  engine  failure 
mode. 


—  Establish  Test  Requirements 

To  prevent  bias  in  the  test  results 
due  to  the  use  of  a  given  production  lot, 
the  blades  chosen  for  test  are  selected  at 
random  from  several  production  lots.  It  is 
considered  desirable,  from  a  statistical 
viewpoint,  to  test  at  least  30  blades  under 
the  proposed  bench-measurement  conditions, 
followed  by  test  in  a  production  turbo  jet 
engine  with  the  turbine  inlet  temperature 
maintained  at  1500°F. 


STEP  2 


—  Design  the  Test 


Only  one  turbo  jet  engine  is  available 
for  use  as  a  test  bed.  Consideration  of  the 
time  involved  and  other  commitments  limit 
the  test  to  the  minimum  30  blades.  The 
following  test  sequence  is  established: 


STEP  3 
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(1)  Selection  of  30  blades,  at  random, 
from  the  past  three  months' 
production. 

Figure  6-6  gives  data  accumulated  on 

(2)  Identification  and  bench-test  of  the  30  blades,  ranked  in  order  of  bench- 
each  blade  to  determine  resonance  resonance  frequency. 

frequency. 

(3)  Installation  of  blades  in  succes¬ 

sive  build-up  of  the  turbo  jet 
engine,  with  engine  RPM  varied 
to  determine  RPM  at  which  blade  The  test  data  summarized  in  Figure  6-6 

resonance  occurs.  are  plotted  as  a  scattergram  in  Figure  6-7. 


STEP  5  —  Plot  the  Data  as  a  Scattergram 


STEP  4  -  Order  the  Test  Data 


Blade  No. 
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Figure  6-6.  Test  Results:  Blade  Resonance  Frequency 
and  RPM  Resonance 


6-9 


6*2-5 


NAVWEPS  00-65*502 


ENGINE 

RPM 


Figure  6-7.  Scottergrom  of  Test  Data 


STEP  6 


Determine  the  Line 
—  Which  Best  Represents  the 
Relationship  Between  X  and  Y 


This  may  be  accomplished  “by-eye” 
when  the  data  are  closely  grouped  and 


obviously  linear,  as  shown  in  Figure  6-7. 
However,  it  is  often  desirable  to  use  com¬ 
putational  techniques  to  obtain  a  more 
accurate  equation  than  can  be  approximated 
by  eye.  Accomplishment  of  this  is 
illustrated  in  Figure  6-8. 
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EQUATION:  Y  =  a  +  bX 

X  =  Bench-Measured  Blade  Frequency 
Y  =  Resonant  Engine  RPM 


X2 


9,650 

9,550 

10,700 


6-2-5 


1  169  1,366,561  11,900 

1,180  1,392,400  11,750 


n  =  30 


Y2 

XY 

93,122,500 

9,630,700 

91,202,500 

9,416,300 

114,490,000 

11,438,300 

141,610,000 

13,911,100 

138,062,500 

13,865,000 

3,492,681,400 

352,246,750 

2X, 

32,553 

XYS 

= 

322,220 

2X? 

35,546,527 

2Y  f 

=  3,492,681,400 

axf 

=  1,059,697,809 

(SYj)2 

=  103,825,728,400 

SXJi 

352,246,750 

_  IX: 

X  =  — -  = 

n 

32,553 

30 

1085.1 

UXiXXYj) 

=  10,489,227,660 

Y  .  Hi . 

n 

322,220 

30 

=  10740. 

n(2XiYi)-ttY1K2Xi)  (30X352,246,750)  -  10,489,227,660 


n(SXf)  -  (SXi)2 


(30X35,546,527)  -  1,059,697,809 

,  78,174,840  _  n  6?1 
6,698,001  “  ' 


a  =  Y-bX  =  10740.67  -(11.67X1085.1)  =  -1922.446 
Y  =  -1922.446  +  11.671X 


Figure  6-8.  Computations  in  Regression  Technique 
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—  Apply  the  Analysis 


The  steady-state  turbo  jet  rotational 
speed  is  a  nominal  10,000  RPM,  controllable 
by  the  fuel  system  to  within  ±200  RPM. 
Titus,  it  is  possible  to  plot  the  range  of 


expected  RPM,  as  shown  in  Figure  6-9. 
Turbine  blades  whose  bench-measured  res¬ 
onance  frequencies  fall  in  the  range  of 
Xj  to  X2  (as  obtained  either  from  the  plot 
or  from  the  regression  equation)  could  pos¬ 
sibly  become  resonant  at  steady-state 
engine  RPM. 


ENGME 

RPM 


Figure  6-9.  Application  of  Regression  Analysis  in  Relating  Bench  Measurements 

to  Application  Conditions 
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6-2-5  to  6-3-1 


The  regression  of  Y  on  X  is  not 
perfect  —  i.e.,  some  variation  of  Y  exists 
for  a  given  value  of  X.  It  is  possible  to 
obtain  an  estimate  of  the  extent  of  this 
variability  by  assuming  that  the  variation 
in  Y  is  normally  distributed,  by  solving  the 
following  equation,  and  by  plotting  the 
vertical  ±3s  tolerance  limits!/  about  the 
the  regression  line  for  any  selected  value 
of  Y. 

/nSYi2-(2Yi)2-b[nSXiYi-qXi)(2Yi)} 

V  n(n  -  2) 

Using  the  data  in  Figure  6-8, 
s  =  224.5 

The  ±3s  tolerance  limits  for  a  blade  resonant 
frequency  of  1100  cps  are  shown  on  Fig¬ 


ure  6-9.  Two  lines  drawn  parallel  to  the 
regression  line  and  passing  through  the  ±3s 
limits  will,  in  general,  encompass  99%  of 
the  expected  variability  of  Y  for  any  given 
value  of  X.  These  lines  may  also  be  approx¬ 
imated  “by-eye”,  if  drawn  to  encompass  all 
observed  data  points.  The  range  of  reso¬ 
nant  blade  frequencies  which  would  indicate 
a  potential  engine  resonance  condition, 
is  thus  broadened  to  the  area  bounded  by 
Xj  and  Xg. 

If  blade  resonance  frequencies  are 
kept  either  below  980  cps  or  above  1060  cps, 
less  than  1  in  100  should  become  resonant 
over  the  acceptable  range  of  steady-state 
engine  operation.  This  knowledge  is  used 
in  the  improved  design  of  blades  and  in  the 
establishment  of  acceptance  test  limits  for 
bench  measurements. 


6-3  TESTS  OF  HYPOTHESIS  (DECISION  MAKING) 


6-3-1.  Categories  of  Decision 

Tests  of  this  type  are  designed  to 
assist  in  decision  making.  Design  deci¬ 
sions,  based  on  reliability  parameters,  fall 
into  two  broad  categories: 

(1)  Verification  that  an  item  meets  a 
prescribed  minimum  reliability, 
and 


2/  Tolerance  limits  are  used  here  in  the  sense  that 
a  given  proportion  of  the  Y  values  will  lie 
between  the  limits  as  follows: 

-Is  =  68.3% 

*2s  =  95.4% 

♦3s  =  99.7% 

This  is  based  upon  the  standard  deviation  s  of 
the  normal  distribution  as  discussed  in 
Paragraph  2.2.3  of  Appendix  2. 


(2)  Selection  of  the  more  reliable 
item  or  approach  from  two  or  more 
alternatives. 

Through  the  testing  of  developmental 
samples,  inferences  (decisions)  may  be 
drawn  about  the  total  projected  population. 
A  statement  or  hypothesis  is  first  made 
concerning  the  item(s)  to  be  tested.  Deci¬ 
sion  criteria  are  established  prior  to  the 
test  such  that  a  simple  inspection  of  results 
will  determine  whether  to  accept  or  reject 
the  hypothesis.  The  test  design,  in  terms 
of  sample  size,  is  also  adjusted  to  provide  a 
given  level  of  confidence  in  the  decision 
or,  conversely,  a  given  risk  of  making  an 
incorrect  decision.  Two  types  of  risk  are 
are  associated  with  decisions  based  on  test 
results: 
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6-3-1  to  6-3-2 

(1)  Rejection  of  the  hypothesis  when 
in  fact  it  should  have  been 
accepted  —  commonly  referred  to 
as  a  Type  I  error  and  denoted 
by  a;  and 

(2)  Acceptance  of  the  hypothesis 
when  in  fact  it  should  have  been 
rejected  —  commonly  referred  to 
as  a  Type  II  error  and  denoted 
by 

In  general,  these  risks  are  inversely 
related  to  the  sample  size  of  the  test. 

The  following  examples  of  decision¬ 
making  through  test  provide  the  step-by- 
step  procedures  required  in  the  establishment 
of  the  decision  criteria  and  the  associated 
risks. 


Past  experience  indicates  that  for  the  pre¬ 
liminary  design  a  reliability  of  0.9  cannot 
be  expected  beyond  100  hours  of  operation. 
However,  it  has  been  predicted  that  a 
redesigned  circuit,  employing  extensive 
derating  of  parts  and  redundancy  at  the  parts 
level  in  critical  areas,  would  considerably 
exceed  the  required  10-to-l  increase  in  the 
specified  period  of  operation,  as  illustrated 
in  Figure  6-10. 

The  problem  is  to  determine  whether 
or  not  the  proposed  new  design  would  yield 
the  required  0.9  reliability  for  1,000  hours 
of  operation  under  simulated  field  con¬ 
ditions,  as  predicted.  Since  redundancy  is 
“mcloyed  in  thedesign.it  cannot  be  assumed 
that  the  exponential  reliability  function 
represents  the  inverter’s  time-to-failure  char¬ 
acteristics.  This  eliminates  an  MTBF  test. 


6-3-2.  Tests  of  Verification 


Tests  of  verification  are  employed  to 
verify  that  a  desired  result  has  (or  has  not) 
been  obtained.  This  type  of  test  is  usually 
employed  to  provide  the  development  team 
“proof’  (with  a  known  confidence  in  their 
test  answer)  that  the  design  has  in  fact 
achieved  the  specified  reliability.  The 
following  example  'illustrates  the  design 
of  a  test  to  verify  a  reliability  prediction. 


STEP  2 


—  Determine  Test  Objectives 


Primary  objective  of  the  test  is  to 
verify  the  design  prediction  or,  statistically, 
the  hypothesis  that  the  reliability  of  the 
inverter  is  equal  to  or  greater  than  .9  for 
1,000  hours  of  operation  (the  predicted 
reliability  is  .972  for  1,000  hours).  This  is 
expressed  mathematically  as 


Ho:  R  >  .9 


Secondary  objectives  of  the  test 
include: 


STEP  1 


—  Define  the  Problem 


A  reliability  requirement  has  been 
allocated  to  a  static  inverter  on  the  basis  of 
its  importance  and  complexity  relative  to 
other  components  of  the  new  system.  This 
requirement  is  stated  as  a  reliability  of 
(at  least)  0.9  for  1,000  hours  of  operation. 


•  Estimation  of  the  actual  reliability  ob¬ 
served  during  the  test. 

•  Investigation  of  the  effects  of  redundancy 
on  the  reliability  function. 

•  Analysis  of  failures  to  determine  causes 
and  possible  corrective  actions  or  design 
improvement. 
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successful  operation  in  the  intended  appli- 
STEP  3  —  Establish  Test  Requirements  cation(s). 

The  conditions  under  which  the  Statistical  requirements  which  must 

inverters  are  tested  correspond  to  those  be  established  are  those  associated  with 

specified  for  anticipated  installation  envi-  the  risks  involved  in  the  decision  to  accept 

ronments  and  load  requirements.  Acceptable  or  reject  the  hypothesis.  Since  the  primary 

test  performance  tolerance  limits  are  based  purpose  of  the  test  is  to  determine  whether 

on  those  which  are  required  to  maintain  the  inverters  have  achieved  or  exceed  a  .9 


OOCHH-DO-  DESIGN  A 


TIME,  t,  IN  HOURS 

Figure  6-10.  Predicted  Reliability  Functions 
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reliability,  a  confidence  of  90%  in  a  decision 
to  accept  the  hypothesis  is  established;  or, 
conversely,  a  .10  risk  of  making  a  wrong 
accept  decision  can  be  to  1  era  ted.  27 

It  is  also  desirable  to  establish  a 
maximum  risk  of  .10  against  a  reject  deci¬ 
sion  if  the  inverters  are  in  fact  as  good  as 
their  predicted  reliability  of  .97. 


STEP  4 


-  Test  Plan 


The  basic  plan  for  the  design  of  the 
inverter  test  is  indicated  by  the  specified 
reliability  allocation  and  the  predicted  non¬ 
exponential  reliability  function  to  be  inves¬ 
tigated.  It  is  desirable  that  the  test  be 
planned  for  at  least  the  specified  1,000 
hours  of  operation  of  each  item  in  order  to 
escape  the  dangers  involved  in  extrapolation 
of  the  results  if  shorter  times  are  used.  In 
order  to  investigate  the  theoretical  non- 
exponerRial  reliability  function,  it  is  also 
advisable  to  plan  for  continuation  of  the 
test  after  the  primary  objective  is  met,  thus 
furnishing  more  failure  information  to  satisfy 
the  secondary  objectives.  Since  the  equip¬ 
ment  employs  redundancy  at  the  parts  level, 
the  replacement  or  repair  of  test  items 
during  the  test  complicates  the  test  design. 
Consequently,  a  simple  non-replacement 
test  plan  is  chosen. 


The  sample  of  inverters  is  placed  on 
test  under  simulated  conditions.  Items  that 
fail-  during  the  test  are  removed  and  are  not 
replaced.-^  After  1,000  hours  of  testing,  a 
decision  based  on  the’  observed  number  of 
failures  is  made  concerning  the  test  hypo¬ 
thesis.  Data  on  all  failures  (including  the 
time-to-failure)  are  recorded  and  the  test  is 
continued  for  an  arbitrary  additional  period 

2/  The  risks  associated  with  development  test 
decisions  are  normally  limited  to  either  .10  or 
.20  for  both  the  Type  I  and  Type  H  errors. 

4/  All  items  which  fail  are  to  be  subjected  to  a 
failure  analysis  as  discussed  in  Chapter  8. 


of  1,000  hours  in  order  to  gain  further  infor¬ 
mation  on  the  reliability  characteristics  of 
the  design. 


STEP  5 


-  Test  Design 


Test  design  involves  deriving  a  set 
of  decision  criteria  based  upon  the  maximum 
number  of  failures  (c)  which  may  occur  during 
test  of  a  sample  of  (N)  units  prior  to  a  reject 
decision  (e.g.  ,  if  c  or  less  failures  occur  in 
N  sample  units,  accept  the  hypothesis;  if  c 
plus  one  or  more  failures  occur  in  the  N 
sample  units,  reject  the  hypothesis).  The 
size  of  the  sample  and  acceptable  number  of 
failures  are  chosen  to  provide  the  desired 
risks  of  rejecting  a  true  .972  reliability  and 
of  accepting  a  true  reliability  lower  than  the 
minimum  .9. 


Ideally,  a  test  should  provide  perfect 
discrimination  (i.e.,  an  equal  risk  of  rejec¬ 
ting  the  inverters  if  their  true  reliability  is 
slightly  less  than  .9  and  of  accepting  them 
if  their  reliability  is  .9  or  above).  However, 
sampling  tests  cannot  provide  this  ideal 
discrimination;  therefore  it  becomes  neces¬ 
sary  to  establish  an  acceptable  discrim¬ 
ination  ratio  which  is  determined  as  follows: 


(1  —  Minimum  Reliability) 
(1  -  Design  Reliability) 


Maximum  Proportion  Defective 
Minimum  Proportion  Defective 

=  Discrimination  Ratio  (k) 


The  minimum  inverter  reliability  was  estab¬ 
lished  by  specification  as  .9.  Design 
reliability  is  that  value  greater  than  .9 
which  the  design  group  expects  to  achieve. 
It  has  been  predicted  that  the  nominal 
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design  reliability  of  the  inverters  will  be 
.972.  Therefore,  the  discrimination  ratio 
for  the  test  should  not  exceed 


sample  size  and  the  natural  desire  of  the 
design  group  for  a  discrimination  ratio  which 
approaches  unity. 


1  -  .9  .1 

1  -  .972  .028 


3.6  =  k 


The  discrimination  ratio  plays  a  vital 
role  in  the  determination  of  sample  sizes. 
The  inverse  relationship  between  sample 
size  and  k  requires  that  a  compromise  be 
reached  between  the  test  cost  in  terms  of 


ombination  of  sample  size  and 
c  .or  a  given  minimum  reliability 

and  fi  error  is  uniquely  defined  by  its 
operating  characteristic  (OC)  curve.  The 
OC  curve  for  a  given  test  design  relates 
the  probability  of  reaching  an  accept  deci¬ 
sion  to  the  true  reliability  of  the  product. 

Figure  6-11  presents  an  OC  curve  for 
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.4  .5  .6  7 

1/DISCRIMINATION  RATIO 


Figure  6-12.  OC  Curves  for  Selected  Test  Plans  with  a  Fixed  /9  Risk  of  .10 


a  sample  size  of  93  and  a  c  number  of  5 
(5  failures  allowed  to  occur  in  the  sample) 
for  a  /3  risk  of  .10  in  accepting  the  hypo¬ 
thesis  that  the  inverters  have  at  least  .9 
reliability.  Using  the  k  of  3.6  determined 
above,  the  risk  of  rejecting  the  inverters  if 
thgir  true  reliability  is  .972 (proportion  defec¬ 
tive  =  .028)  is  only  .03;  or,  conversely, 
the  probability  of  accepting  (1  -  a)  the  hypo¬ 
thesis,  and  thus  the  inverter,  is  .97. 


This  test  design  exceeds  the  require¬ 
ments  and  thus  does  not  minimize  the 
number  of  samples.  Figures  6-12  and  6-13 
are  used  to  aid  in  selecting  test  designs 
and  establishing  the  tradeoffs  between 
sample  size,  discrimination  ratios,  and  a// 3 
risks. 

The  test  requirement  of  a  /9  risk  of  .10 
and  a  minimum  reliability  of  .9  (maximum 
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of  10%  defective)  dictates  the  use  of  Figure 
6-12.  The  minimum  test  plan  which  fulfills 
the  requirement  is  that  plan  which  falls 
nearest  to  the  intersection  of  the  .10  a  risk 
line  and  the  .028  design-predicted  proportion 
defective.  This  results  in  a  c  of  3  and  a 
corresponding  N  of  66.  Therefore,  the 
recommended  test  design  tests  66  inverters 
for  1,000  hours  and  accepts  the  hypothesis 
if  3  or  less  defectives  are  observed. 


If  the  sample  size  is  too  high,  it  is 
possible  to  reduce  the  number  by  either  or 
both  of  the  following  methods: 

•  Increase  the  k  value.  This  assumes  that 
the  design  reliability  is  better  than  the 
prediction  and,  in  effect,  increases  the 
risk  of  rejecting  inverters  which  in  fact 
exceed  .9  reliability.  For  example, 


Figure  6-13.  OC  Curves  for  Selected  Test  Plans  with  a  Fixed  /3  Risk  of  .20 
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HOURS  OF  TEST  DURATION 


Figure  6-14.  Observed  Reliability  Function  for  2000-Hour  Test  with  66  Inverters 


increasing  k  to  5  would  permit  a  c  value 
of  1  and  would  result  in  a  sample  size 
reduction  to  37.  However,  the  inverters 
would  require  a  least  a  .986  reliability  if 
a  .10  risk  of  rejection  is  maintained;  or 
the  original  risk  of  .10  for  a  .972  reliabil¬ 
ity  would  increase  to  a  risk  of  .30. 

•  Increase  the  /3  risk.  Figure  6-13  presents 
test  designs  for  a  /3  risk  established  at 
.20.  If  the  original  k  value  of  3.6  is  held 


constant  and  the  a  risk  is  also  adjusted 
to  .20,  the  sample  size  could  be  reduced 
to  16  (c  =  1).  This  approach,  however 
would  necessitate  a  change  in  the  basic 
test  requirements. 


STEP  6 


-  Implement  the  Test 


The  test  of  66  inverters  in  accordance 
with  the  test  plan  yields  the  following 
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6-3-2  to  6-3-3 


results:  52  inverters  operate  the  <j11  2,000 
hours  without  failure;  14  inverters  fail  after 
accumulating  the  test  times  shown  below: 


Inverter  No. 

Operate  Time 
at  Failure 
(Hours) 

2 

1320 

4 

1510 

7 

1430 

12 

1246 

17 

852 

22 

1369 

25 

1440 

31 

1900 

32 

1540 

39 

1321 

45 

1447 

54 

1823 

56 

402 

64 

1006 

STEP  7 


-  Data  Analysis 


Inspection  of  the  data  reveals  the 
failure  of  only  2  >f  the  66  inverters  during 
the  1,000-hour  test  period.  Thus,  the  hypo¬ 
thesis  Ho:  R10oo  -  -9  is  accepted  it 
can  be  stated  (with  90%  confidence)  that  tt,c 
true  reliability  is  at  least  .9. 


the  choice  between  processes.  When  suf¬ 
ficient  test  data  are  not  available  for  a 
decision,  relatively  simple,  straightforward 
tests  of  comparison  can  be  performed  to  aid 
in  the  decision  process.  The  following 
example  outlines  the  design  and  conduct  of 
such  a  test. 


STEP  1 


-  Define  the  Problem 


A  system  designed  with  conventional 
circuitry  could  be  redesigned  using  micro¬ 
circuitry,  with  a  significant  reduction  in 
weight  and  space.  However,  both  the  rede¬ 
sign  cost  and  the  per/equipment  cost  would 
be  inflated.  A  5-to-l  increase  in  reliability 
will  offset  higher  initial  costs.  Therefore, 
the  problem  is  to  determine  if  a  micro- 
circuit  design  will  yield  a  minimum  of  5-to-l 
increase  in  reliability  or  a  5-to-l  decrease 
in  failure  rate. 


STEP  2 


—  State  Test  Objectives 


The  primary  objective  of  a  comparative 
testis  to  determine  whether  a  pre-established 
hypothesis  can  be  accepted  or  rejected.  For 
tests  of  this  type,  the  basic  hypothesis  is 
that  “no  difference  exists”: 


Ho.  Ac  —  A,,, 


The  observed  1,000-hour  reliability 
is  64/66  =  .97.  Continuation  of  the  test  for 
the  additional  1,000  hours  permits  a  plot  of 
the  observed  reliability  function  as  shown 
in  Figure  6-14  and  analysis  of  the  individual 
failures  as  recommended  in  Chapter  8. 

6-3-3  Tests  of  Comparison 


where  Am  =  Failure  rate  of  micro- 
circuitry 

Ac  =  Failure  rate  of  conven¬ 
tional  circuitry 

An  alternative  hypothesis  (Ha)  is 
also  established: 


A  problem  which  frequently  confronts 
the  designer  is  the  choice  between  two  or 
more  possible  items  for  use  in  the  design, 
the  choice  between  approaches,  or  perhaps 


Ha:  Ac  >  5Am 

This  hypothesis  will  be  accepted  in  the 
event  Ho  is  not  supported  by  test  data. 
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STEP  3 


-  Establish  Test  Requirements 


The  primary  environmental  conditions 
under  which  the  comparison  must  be  made 
include  input  voltage  variations  and  tran¬ 
sients  typical  of  those  seen  by  airborne 
electronic  equipments  and  an  ambient  tem¬ 
perature  cycle  varying  from  -55°C  to  +60°C. 


The  comparison,  by  necessity,  is 
based  upon  several  individual  circuit 
functions  rather  than  upon  complete  equip¬ 
ment  designs.  The  IF  strip  is  chosen  as  the 
group  of  circuit  functions  upon  which  the 
decision  will  be  based.  For  the  purposes  of 
the  test,  the  definition  of  IF  strip  failure  is 
to  be  based  upon  the  “design-required” 
output  signal  tolerances,  with  the  minimum 
expected  input  signal  (output  from  RF 


stages)  fed  into  the  IF  strip.  The  accept¬ 
able  risks  of  making  a  wrong  decision  are 
both  set  at  .05;  i.e.: 

•  a,  the  probability  of  rejecting  Ho  when  it 
should  be  accepted,  =  .05 

•  /3 ,  the  probability  of  accepting  Ho  when 
it  should  be  rejected,  =  .05 


-  Test  Design 

The  basic  design  of  comparison  tests 
is  illustrated  in  Figure  6-15.  Samples  of 
each  item  to  be  compared  are  selected  and 
randomly  subjected  to  the  same  test  con¬ 
ditions.  Data  analysis  and  decision  criteria 
are  based  upon  the  proportion  of  defectives 


STEP  4 


MICRO-CIRCUITS  CONVENTIONAL 


SUCCESS  SUCCESS 


Figure  6-15.  Comparative  Test  Plan  Schematic 
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observed  for  each  type  item.  A  sample,  N, 
of  each  type  of  IF  strip  is  subjected  to 
a  1,000-hour  life  test  under  anticipated  use 
conditions.  At  least  once  a  day  (24  hours), 
the  signal  outputs  of  each  IF  strip  are 
measured.  Any  measurement  which  is  out¬ 
side  the  preset  tolerance  limits  is  cause 
for  rejection  of  the  IF  strip  (it  is  optional 
whether  the  rejected  item  is  continued  in 
test  or  Femoved).  The  initial  sample  sizes 
are  determined  by  a  combination  of  three 
factors: 

(1)  The  acceptable  decision  risks 
(a  =  / 3  -  .05). 

(2)  The  desired  discrimination  ratio 
or  differences  to  be  detected 
(5-to-l). 

(3)  The  “expected”  minimum  propor¬ 
tion  defective  to  be  observed. 

Figure  6-16  is  a  graph  relating  sample 
size  to  the  minimum  proportion  defective  for 
several  discrimination  ratios  at  a  *  /8  -  .05. 

The  expected  minimum  proportion 
defective  is  estimated  by  assuming  that 
micro-circuit  IF  strips  have  a  failure  rate 
one-fifth  of  that  predicted  for  the  conven¬ 
tional  strip: 

Expected  Am  =-^-Ac  =-jr(.0002) 

j  D 

*  .00004  failures  per  hour 

A  1,000-hour  test  would  thus  be  expected 
to  yield  4%  defectives  (a  proportion  defec¬ 
tive  of  .04). 


in  summary,  the  test  plan  consists  of: 

•  Fabrication  of  50  IF  strips  of  each  type. 

•  Initial  performance  test  to  assure  all  good 
at  t  =  0. 

•  Conduct  of  1,000-hour  life  test  with  once- 
a-day  performance  measurements. 

•  Classification  of  the  test  data  into  one  of 
four  groups,  organized  as  illustrated  in 
Figure  6-17. 


STEP  5 


—  Implement  the  Test 


Results  of  the  test  are  tabulated  in 
Figure  6-17. 


—  Analyze  the  Results 

The  data  classified  in  Figure  6-18  are 
analyzed  by  a  process  labeled  the  “Chi- 
Square  Test  of  Independence”.!/  First 
it  is  necessary  to  construct  a  table  of 
expected  values  (Figure  6-18)  corresponding 
to  the  observed  data  table.  “Expected” 
values  are  derived  by  multiplying  row  totals 
by  column  totals  and  then  dividing  this 
product  by  the  overall  sample  size,  as  shown 
in  Figure  6- 18(a).  The  Chi-Square  (x2)  Test 
compares  the  observed  values  against  the 
expected  values  in  the  tables. 

Expressed  mathematically, 

v2 . 4  (|0  -  E|  -  .5)2 
x  l  E 

where  0  is  the  observed  data,  E  is  the 


STEP  6 


A  total  sample  size  of  approximately 
100  IF  strips  (50  micro-circuit  and  50  con¬ 
ventional)  is  obtained  from  Figure  6-16, 
under  the  assumption  of  4%  defective  and  a 
5-to-l  discrimination  ratio. 


-/  Duncan,  Acheson  J.,  “Chi-Square  Tests  of 
Independence  and  Comparison  of  Percentages”, 
Industrial  Quality  Control,  American  Society  for 
Quality  Control,  New  York,  June  1955,  Vol.  XI, 
No.  9. 
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Micro-Circuit 

Conventional 

Total 

Success 

46 

38 

84 

Failure 

4 

12 

16 

TOTAL 

50 

50 

100 

Figure  6-17.  Results  of  Comparison  Test  Between  Micro-Circuit 
and  Conventional  IF  Strips 


expected  value  for  the  same  cell,  and 
|0  -  El  is  the  absolute  value  of  the  differ¬ 
ence.  §/  The  summation  is  the  sum  of  the 
four  data  cells. 

The  hypothesis  that  Ac  =  Am  (or  that 
the  percent  defective  throughout  1,000  hours 
of  test  are  equal)  is  rejected  if  the  above 
summation  is  greater  than  3.84.-/ 

The  critical  y2  for  the  micro-circuit 
test  is  computed  as 

2  _  (146-421-  .5)2  +  (|38  -  42[-.5)2 
X  42  +  42 

(|4  -  81-  .5)2  (112-8I-.5)2 

+  8  +  8 

(4 -,5)2  (4-. 5)2 

42  42 

(4-. 5)2  (4-. 5)2 

+  8  +  8 

ft/  The  value  of  ,5  is  subtracted  from  the  absolute 
difference  between  the  observed  and  expected 
before  squaring  if  the  total  of  all  the  cells  is 
greater  than  40  and  the  smallest  expected  value 
is  less  than  500. 

11  The  value  of  3.84  is  that  value  of  the  Chi-Square 
(y2)  obtained  from  Tables  of  the  Chi  Square  for 
one  degree  of  freedom  and  the  .05  level  of 
significance  (i.e.,  the  probability  of  rejecting 
the  hypothesis  when  it  should  have  been  accepted. 


=  .292  +  .292  +  1.53  +  1.53 
=  3.64 

Therefore,  the  hypothesis  that  the 
failure  rates  of  the  micro-circuit  IF  strip 
are  equal  to  those  of  conventional  design  is 
not  rejected.  On  the  basis  of  the  test 
results,  the  gain  in  reliability  by  a  redesign 
to  include  micro-circuitry  would  not  provide 
the  minimum  5-to-l  improvement  established 
as  the  economical  break-even  point. 

Secondary  data  analysis  include 
analysis  of  failures  and  plots  of  the 
observed  reliability  functions  in  accordance 
with  Chapter  8. 
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(a)  Method  of  Calculation 


Micro-Circuit 

i  .  i 

Conventional 

Total 

Success 

50(46  +  38) 

50(46  +  38) 

84 

100 

100 

Failure 

50(4  +  12) 

50(4  +  12) 

16 

100 

100 

TOTAL 

50 

50 

100 

(b)  “Expected"  Data  Table 


Micro-Circuit 

Conventional 

Total 

Success 

42 

42 

84 

Failure 

8 

8 

16 

TOTAL 

50 

50 

100 

Figure  6-18.  Table  of  Expected  Data  Under  the  Assumption  that  the  Percent  Defective 

is  Equal  for  Each  Type  of  IF  Strip 
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CHAPTER  7 

RELIABILITY  ACCEPTANCE  TESTS 

7-1  INTRODUCTION 


Acceptance  testing  of  a  product 
involves  the  evaluation  of  product  character¬ 
istics  under  specified  conditions.  If  the 
evaluation  discloses  that  these  character¬ 
istics  fall  within  “acceptable”  limits  as 
defined  in  the  product  specification,  the 
product  is  deemed  acceptable.  Thus  the 
acceptance  test  need  not  produce  a  measure¬ 
ment  of  the  characteristics,  but  only  show 
that  they  are  “good  enough”  to  meet  mini¬ 
mum  acceptance  requirements.  It  is  not 
necessary  to  know  how  much  better  a  product 
is  than  its  specified  minimum  in  order  to 
make  an  accept  decision.  What  is  necessary, 
however,  is  a  knowledge  of  the  risk  involved 
in  making  the  decision  to  accept  a  product 
on  the  basis  of  the  test  results.  In  general, 
when  more  test  time  is  used  (more  failures 
are  expected  during  the  test),  less  risk  is 
involved  in  making  a  decision  or,  conversely, 
there  is  more  confidence  in  the  test  results. 
Two  types  of  risks  are  involved  in  any 
acceptance  test  plan  —  the  risk  of  rejecting 
an  acceptable  product,  and  the  risk  of 
accepting  an  unacceptable  product.  These 
will  be  discussed  further  in  the  step-by-step 
test  design  procedure. 

Because  of  the  high  costs  of  product 
testing  at  low  risks,  sequential  test  plans 
have  been  developed^/  to  more  effectively 
utilize  the  test  results  for  decision  making. 
Two  types  of  sequential  plans  are  appli¬ 
cable: 


i/See  for  example,  OASD  Handbook  H108,  “Sampling 
Procedures  and  Tables  for  Life  and  Reliability 
Testing”,  29  April  1960. 


•  MTBF  or  failure-rate  tests  based 
on  the  exponential  distribution 
which  are  applicable  to  most 
systems  and  equipments  of  con¬ 
ventional  design  that  do  not  make 
extensive  use  of  redundancy. 

•  Probability  of  survival  tests, 
based  on  the  inclusion  of  oper¬ 
ating  time  (or  cycles)  as  a  test 
condition.  These  tests  are 
generally  applicable  to  all  pro¬ 
ducts  irrespective  of  their  time- 
to-failure  distribution. 

Procedures  for  each  of  these  types  of 
sequential  tests  are  outlined  in  this  chapter. 

The  major  advantage  of  sequential 
testing  plans  is  that,  on  the  average,  they 
require  less  testing  than  attributes  or  vari¬ 
ables  plans,  especially  when  the  product  is 
either  very  poor  or  very  good.  The  major 
disadvantage  is  that  the  exact  number  of 
items  needed  cannot  be  determined  before 
the  test  is  run.  However,  it  is  possible  to 
compute  the  average  number  of  items 
required. 

In  general,  a  good  product  will  be 
accepted  quickly  and  a  poor  product  will  be 
rejected  quickly,  while  a  questionable  pro¬ 
duct  will  usually  require  a  longer  testing 
time  (although  a  smaller  number  of  failures) 
than  is  required  by  other  sampling  plans. 
Another  feature  of  sequential  plans  is  that 
they  can  be  used  either  for  testing  one  item 
at  a  time  or  for  testing  many  items  simul¬ 
taneously. 
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7-2  SEQUENTIAL  TEST  DESIGN  FOR  MTBF  ACCEPTANCE 


7-2-1.  General 

Sequential  test  for  MTBF  acceptance 
may  be  used  when  the  exponential  distribu¬ 
tion  maybe  assumed  for  the  MTBF  or  failure 
rate.  When  the  assumption  of  exponentiality 
is  not  valid,  a  different  test  design  should 
be  used  (see  7-3). 

7-2-2.  Procedural  Steps 

A  method  for  designing  a  sequential 
MTBF  acceptance  test  is  presented  and 
demonstrated  by  example  in  the  following 
steps. 


Define  “Acceptable”  and 
“Unacceptable”  MTBF 

The  nominal  MTBF  expressed  as  the 
design  requirement  is  the  acceptable  MTBF, 
usually  denoted  by  6q.  The  unacceptable 
MTBF  corresponds  to  the  minimum,  accept¬ 
able  originally  defined  in  the  design  speci¬ 
fication,  usually  denoted  by  6y  Figure  7-1 
illustrates  the  concept  of  ^  as  the  nominal 
MTBF,  with  6^  as  the  lower  tolerance  limit 
as  discussed  in  Chapter  6.  For  purposes 
of  illustration,  a  normal  distribution  of 
MTBF’s  is  depicted  about  the  mean  value. 


STEP  1 


FREQUENCY 


Figure  7-1.  Distribution  of  MTBF’s  Centered  at  a  Nominal  Value  do, 
Showing  a  Minimum  Acceptable  Value  at  6\ 
as  a  Lower  Tolerance  Limit  on  Acceptable  MTBF 
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7-2-2 


Where  reliability  has  been  expressed 
as  a  failure  rate,  the  requirement  is  easily 
translated  into  MTBF  in  the  exponential 
case  by  taking  the  reciprocal  of  failure  rate; 
i.e.: 


MTBF  =  — 


1 


Failure  Rate 


EXAMPLE:  An  equipment  has  been 
designed  to  meet  a  specified  nominal 
MTBF  of  200  hours  that  is  based  on  a 
TDP  definition  of  nominal  (200  hours) 
and  minimum  acceptable  (100  hours). 
Design  predictions  followed  by  devel¬ 
opment  (evaluation)  tests  have 
verified  design  achievement  of  the 
200-hour  requirement  under  the  speci¬ 
fied  test  conditions.  The  basic 
design  is  thus  qualified  for  prototype 
development.  An  acceptance  test  is 
now  to  be  designed  as  a  means  of 
deciding  whether  to  accept  the  proto¬ 
type  for  production  or  to  reject  the 
prototype  and  require  that  the  design 
be  further  refined. 

On  the  basis  of  development  test  data, 
a  hypothesis  can  be  formulated  con¬ 
cerning  the  probable  MTBF  of  the 
prototype:  it  is  hypothesized  that 
MTBF  =  Oq  =  200  hours. This  hypoth¬ 
esis  is  termed  the  “Null”  hypothesis, 
shown  as 


Hq.-  0O  -  200  hours 


An  alternative  hypothesis  is  stated 
on  the  basis  of  the  specified  minimum 
acceptable  MTBF  (100  hours)  as 
follows: 


STEP  2 


—  Define  the  Allowable  “Risks”. 


Two  risks  are  involved,  at  least  one 
of  which  -  “the  consumer’s  risk”  —  will 
have  been  stated  in  the  specification  de¬ 
scription  of  the  reliability  requirement: 


•  The  “producer’s  risk”,  denoted 
by  a  (alpha),  is  the  chance  or 
risk  of  rejecting  a  product  that  in 
actuality  is  acceptable.  This  is 
the  risk  taken  by  the  development 
contractor  or  equipment  manu¬ 
facturer  when  he  submits  his  pro¬ 
duct  to  the  acceptance  test.  Most 
tests  are  designed  for  a  5%  or  1C% 
producer’s  risk. 


•  The  “consumer’s  risk”,  denoted 
by  /3  (beta),  is  the  chance  or 
risk  of  accepting  a  product  that 
is  in  actuality  below  the  minimum 
acceptable  level.  This  is  the  risk 
taken  by  'he  Bureau  when  it  de¬ 
termines  product  acceptability  on 
the  basis  of  an  acceptance  test. 
Most  tests  are  designed  for  a  10% 
or  20%  consumer's  risk. 

Jn  the  preceding  example,  assume  that 
the  minimum  acceptable  level  of  reliability 
was  defined  fora  consumer’s  risk  of  /8  =  10% 
(i.e.,  the  Bureau  wants  90%  confidence 
(1  -  /3)  that  the  product  has  an  MTBF  of  at 
least  100  hours).  Assume  also  that  the 
development  contractor  had  agreed  to  a 
producer’s  risk  of  a  =  10%  (i.e.,  the  producer 
wants  90%  confidence  that  the  prototype  will 
be  accepted  by  the  test  if  its  MTBF  is  in 
fact  200  hours).  Thus, 


Hj:  <  100  hours 


a  =  10% 

fi  =  10% 
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Determine  Accept/Reject 
Boundaries. 


With  6q  and  0 ^  both  defined,  and  the 
two  risks  a  and  /3  established,  all  para¬ 
meters  needed  for  the  choice  or  design  of 
the  sequential  test  are  known.  Two 
methods  of  test  design  are  available  to  the 
project  engineer  (or  to  the  contractor,  if  the 
test  design  requirement  has  been  given  him 
as  a  task): 

•  Handbook  Method  —  This  requires 

the  use  of  OASD  Handbook  H108 
ora  comparable  document  in  which 
sequential  test  plans  are  already 
available  for  different  combin¬ 
ations  of  a,  /S,  ,  and  0q. 

•  Mathematical  Method  --  This 
requires  the  derivation  of  the  test 
plan  from  the  basic  equations. 


The  mathematical  method  will 
be  illustrated  here,  to  acquaint  the  engineer 
with  the  formulae  that  underlie  the  plans 
presented  in  handbooks.  Figure  7-2  is  a 
graphic  representation  of  a  sequential 
sampling  plan,  showing  the  equations  for 
lines  of  acceptance  and  rejection. 

Accept  Line:  T(t)  =  hQ  +  rs 

Reject  Line:  T(t)  =  -hj  +  rs 

where 


STEP  3 


TOTAL  CUMULATIVE 
TEST  TIME  T(t) 


Figure  7-2.  Graphic  Representation  of  Sequential  Test  Plan 
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Ln  =  Logarithm  to  base  e 

r  =  Number  of  failures  observed  by 
time  t 

and  T(t)  =  Total  number  of  hours 

accumulated  by  all  items  up  to 
time  t 
r 

=  2  t.  +  (n  -  r)t,  in  the 
i=l  1 


employed  in  equipment  and  system  testing; 
i.e.,  each  equipment  that  fails  is  either 
replaced  in  the  test  or  is  repaired  and  rein¬ 
stalled  in  the  test. 


EXAMPLE:  In  the  preceding  example, 
a  =  /3  =  .  10,  6q  =  200  hours  and 
=  100  hours.  Accept/re ject 
equations  would  be  derived  as  follows: 


100  200 


2.2 

.005 


=  440 


Ln  9 

.01  -  .005 


non-replacement  case 

In  the  replacement  case,T(t)  =  nt,  where  n 
is  the  number  of  items  initially  placed  on 
test.  The  replacement  type  of  testis  usually 


1  1 
100  200 


=  JLiL  =  440 
.005 


CUMULATIVE 
TEST  TIME  T(t) 
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/200\ 

uooj  _ 


100  200 

=  138.6  =  140 

The  accept  line  then  is  defined  by 
T(t)  =  T*  =  440  +  140r 

The  reject  line  is  defined  by 
T(t)  =  =  -440  +  140r 

These  two  lines  are  plotted  in 
Figure  7-3  for  several  values  of 
T(t)  and  r,  as  shown  in  Figure  7-4. 

To  illustrate  the  use  of  the  test  plan, 
three  possible  outcomes  are  plotted  in 
Figure  7-3: 

Case  A:  Equipment  is  accepted 
because  the  accept  decision 


line  is  crossed  after  440 
hours  of  test  time,  before  the 
first  failure  occurs. 

Case  B:  Equipment  is  rejected 
because  the  reject  decision 
line  is  crossed  at  960  hours 
with  the  10th  failure. 

Case  C:  Equipment  on  test  without 
either  decision  boundary  being 
crossed;  the  10th  failure 
after  960  hours,  but  before 
1840  hours.  (Truncation 
methods  for  this  case  are 
discussed  in  7-4.) 

The  test  plan  derived  above  could 
have  been  approximated  from  the  Master 
Table  of  Sequential  Life  Tests  (Table  2D-1) 
of  H108.  For  example,  plan  C-ll  of  H108, 
having  a  =  /9  =  .1  and  Q\/0q  =  .512,  most 
nearly  fits  the  criteria  derived  above. 


- v - 1 

Minimum 

Number  of  Failures 

Time  to  Accept 

(r) 

<T*> 

0 

440 

1 

580 

2 

720 

3 

860 

4 

1000 

5 

1140 

6 

1280 

7 

1420 

8 

1560 

9 

1700 

10 

1840 

15 

2540 

20 

3240 

Maximum 
Time  to  Reject 


Figure  7-4.  Accept/Reject  Numbers  (Foilures)  os  a  Function 
of  Totol  Test  Time  T(t)  for  a  Replacement  Test 
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An  excerpt  from  Table  2D-1  of  H108  is  shown  below: 


(1) 

(2) 

(3) 

(4) 

(5) 

(6) 

(7) 

(8) 

(9) 

Code 

r0 

h0/<?o 

hl/0o 

s/0q 

E0(r) 

E0j(r) 

Es(r) 

E0o(r) 

C-ll 

45 

2.3053 

-2.3053 

.7024 

3.3 

9.7 

10.8 

6.2 

Sequential  Life  Test  Plan  for  =  .512,  a  =  /9  =  .10 


h0/d?0,  hj/^Q,  and  s/dQ  are  normalized 
constants  for  the  accept/reject  equations. 
To  determine  the  equation,  simply  multiply 
these  constants  by  0q  =  200.  The  following 
equations  result: 

Accept  Line:  T(t)  =  461  +  I40r 


and 


Reject  Line:  T(t)  =  -461  +  140r 


Develop  the  OC  Curve  for  the 
Sequential  Test  Plan. _ 


The  operating  characteristic  (OC) 
curve,  denoted  by  L(0),  for  the  sequential 
plan  is  given  approximately  by 


The  curve  is  determined  by  assigning  values 
to  h  and  solving  for  6  and  L(0).  Five  points 
on  the  OC  curve  are  shown  in  Figure  7-5. 
From  these  points  it  is  possible  to  make  a 
rough  sketch  of  the  OC  curve  and  to  deter¬ 
mine  what  further  points  are  needed  for  more 
accurate  detail. 


STEP  4 


where 


a  h  . 

Lid)  1 

h 

6 

L(<9) 

Ah  -  Bh 

-oo 

0 

0 

-1 

°l 

13 

0 

s 

hl/\)  +  hl 

QQ. 

1 

n 

< 

1 

% 

1  -  a 

a 

oo 

OO 

i 

B  = 


<3 

(1  -  a) 


Figure  7-5.  Five  Points  on  the  OC  Curve 
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Graphically,  the  OC  curve  will  take  roughly  the  shape  shown  in  Figure  7-6. 


STEP  5 


Estimate  Expected  Length 
-  of  Test  Required  for 
Decision _ 


in  the  non-replacement  case,  where  n  is  the 
number  of  units  on  test  and  6  is  the  actual 
(or  true)  MTBF. 


The  average  length  of  test  (test  oper¬ 
ate  hours/unit)  to  reach  a  decision  is  given 
by: 


EJt)  E«(r) 
6  „  0 


Ea(r),  the  expected  number  of  failures 
required  to  reach  a  decision,  is  given  by: 


E9(rt 


h,  -  He)  (h0th,) 

s  -  6 


in  the  replacement  case,  and 


for  any  finite  value  of  the  actual  (or  true) 
MTBF  ( d )  except  when  6  =  s,  in  which  case: 


E*<t> 


6  Ln 


n 

n  -  Eg(r) 


E  (r) 
s 


=.haili 

s2 
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The  curve  of  E^it)  versus  9  (average 
length  of  test  curve)  is  determined  by 
choosing  values  of  9  (together  with  corre¬ 
sponding  values  from  the  test  plan  and  OC 
curve),  the  number  of  units  which  will  be 
tested  at  any  one  time,  and  whether  a  re¬ 
placement  or  non-replacement  test  procedure 
will  be  used. 

Five  points  on  the  average  length  of 
test  curve  are  tabulated  in  Figure  7-7  for 
the  example  test  design  which  is  imple¬ 
mented  by  testing  ten  units  at  a  time  in  the 
replacement  case. 

From  the  points  in  Figure  7-7,  a 
sketch  of  the  average  length  of  test  curve 
may  be  made  as  shown  in  Figure  7-8. 

A  sketch  such  as  that  shown  in 
Figure  7-8  may  often  be  sufficient  for  test 
estimating  purposes.-^  However,  additional 

2/Requests  for  proposals  should  instruct  bidders  to 
base  cost  estimates  on  the  expected  length  of  test 
when  the  actual  MTBF  equals  a  “nominal”  re¬ 
quirement. 


e 

E0(r) 

0 

3.2 

9 1  (100  ) 

9.1 

s  (138.6) 

10.1 

02  (200  ) 

5.7 

L 

0* 

£  (r)  |  Eo(t)  10  Units 

®  (Replacement  Case) 


0  (a  minimum) 
91 

140  (maximum) 
114 

44*(a  minimum) 


*  Determined  by  engineering  inference 

Figure  7-7.  Five  Points  on 
the  E$(t)  Versus  9  Curve 

points  of  particular  interest  may  be  calcu¬ 
lated. 

While  the  curve  of  Figure  7-8  presents 
the  average  length  of  test  to  reach  a  deci¬ 
sion  for  a  given  MTBF,  the  actual  test 
length  in  any  one  test  may  be  either  signif¬ 
icantly  lower  or  up  to  three  times  the  aver¬ 
age  test  length.  Furthermore,  the  decision 
whether  to  accept  or  reject  depends  on  the 
OC  curve  and  not  on  the  length  of  test. 


Actual  (or  True)  MTBF 
(Hours) 


Figure  7-8.  Average  Length  of  Test  Curve  for  Sequential  Sampling  Plan 
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7-3  SEQUENTIAL  TEST  DESIGN  FOR  RELIABILITY  ACCEPTANCE 


7-3-1.  General 

The  procedures  for  MTBF  acceptance 
outlined  in  the  previous  section  are 
applicable  when  the  equipment  under  test  is 
known  to  follow  the  exponential  law.  How¬ 
ever,  in  cases  where  the  assumption  of 
exponentiality  is  not  valid,  ^  it  is  necessary 
to  express  the  reliability  requirement  as  a 
probability  of  survival  for  the  prescribed 
mission  time.  A  sequential  test  can  then  be 
designed  to  accept  or  reject  the  product  on 
the  basis  of  its  “unreliability”  or  “propor¬ 
tion  defective”  during  a  prescribed  mission 
time. 


7-3-2.  Procedural  Steps 

The  same  procedure  is  applicable  to 
one-shot  devices  and  cycle-dependent 
equipments  that  are  not  directly  dependent 
on  time.  System  availability  or  operational 
readiness  can  also  be  evaluated  for  accept¬ 
ability  by  sequential  test  methods.  Appli¬ 
cation  of  sequential  test  design  procedures 
to  these  latter  cases  is  also  illustrated. 


STEP  1 


Define  “Acceptable”  and 
-“Unacceptable”  Proportion 
Defective  (p) _ 


The  nominal  proportion  defective, 
designated  as  pg,  is  defined  as  (1  -  Rg), 
where  Rg  is  the  design  requirement  for 
acceptable  reliability  throughout  the  speci- 


Equipment  designs  that  employ  redundancy  at  the 
part  or  module  level  usually  void  the  exponential 
assumption,  as  do  those  equipments  which  are 
judged  on  an  attributes  basis,  i.e.,  number  of 
successes  in  a  given  number  of  trials  and  tests. 


fied  mission  period,  i.e.,  Rg  =  R(tm)nom. 
(In  the  exponential  case,  0 g  was  used 
instead  of  Rg.) The  unacceptable  proportion 
defective,  designated  as  pp  is  defined  as 
(1  -  Rj),  where  Rj  corresponds  to  the 
minimum,  acceptable  reliability  originally 
defined  in  the  design  specification  for  the 
specified  mission  period.  (In  the  exponential 
case,  Oy  was  calculated  from  Rj.) 

EXAMPLE:  An  equipment  has  been 
designed  to  have  a  nominal  reliability 
of  .97  for  a  6-hour  mission.  A  min¬ 
imum  acceptable  reliability  of  .94  has 
been  specified  for  the  same  period. 
Redundancy  has  been  used  in  design; 
therefore,  the  assumption  of 
exponentiality  does  not  hold.  Design 
predictions  and  development  tests 
indicate  that  basic  design  is  qualified 
for  prototype  development.  An  accept¬ 
ance  test  is  now  to  be  designed  as  a 
means  of  determining  whether  to  accept 
the  prototype  for  production  or  to 
reject  it  and  require  further  design 
refinement.  On  the  basis  of  develop¬ 
ment  test  data,  a  hypothesis  may  be 
formulated  concerning  the  probable 
proportion  defective  of  the  prototype, 
i.e.,  it  is  hypothesized  that 
p  =  .03,  or ( 1  - . 97).  This  hypothesis  is 
termed  the  “Null”  hypothesis  and  is 
shown  symbolically  as: 

Hn:  pn  <  .03  at  t  =  t 

0  r0  -  m 

An  alternative  hypothesis  that  p  =  .06, 
or  (1-. 94),  is  formulated  from  the 
specified  minimum  acceptable  reli¬ 
ability  of  .94,  as  follows: 


p,  >  .06  at  t  =  t 
K1  -  m 
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STEP  2 


-  Define  the  Allowable  “Risks" 


The  two  risks  involved  have  meanings 
equivalent  to  those  discussed  for  MTBF 
acceptance  tests.  The  “producer’s  risk", 
a,  is  the  contractor’s  chance  or  risk  that  a 
product  with  an  acceptable  proportion 
defective  po  will  be  rejected.  The  “con¬ 
sumer’s  risk’’,  /S,  is  the  Bureau’s  chance 
or  risk  of  accepting  a  product  proportion 
defective  which  is  worse  than  the  minimum 
acceptable  level,  pi- 


To  illustrate  the  test  design,  assume 
that  the  minimum  acceptable  level  of  reli¬ 
ability,  represented  by  pj,  was  defined  for  a 


CUMULATIVE  NUMBER 
OF  FAILURES,  r 


consumer’s  risk  of  /9  =  10%  -  i.e.,  the 
Bureau  wants  90%  confidence  (1  -  /S)  that 
the  product  has  a  proportion  defective  (unre¬ 
liability)  of  not  more  than  .06.  Assume  also 
that  the  development  contractor  had  agreed 
to  a  producer’s  risk  of  a  =  10%  —  i.e.,  the 
producer  wants  90%  confidence  that  the 
prototype  will  be  accepted  by  the  test  if 
its  proportion  defective  is  in  fact  .03  or 
less.  Thus  a  =  j3  =  10%. 


Determine  Accept/Reject 
Decision  Boundaries. 

With  pQ  and  p^^  both  defined  and  the 
two  risks  a  and  /3  established,  all  the 


STEP  3 


Figure  7-9.  Graphic  Representation  of  Sequential  Test  Plan  for  Proportion  Defective 
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necessary  parameters  for  the  choice  or 
design  of  the  sequential  test  are  known. 
Until  such  time  as  a  handbook  of  test  plans 
is  published,  the  project  engineer  or  con¬ 
tractor  must  derive  the  plan  from  the  basic 
equations. 

Figure  7-9  is  a  graphic  representation 
of  a  sequential  sampling  plan  showing  the 
equations  for  lines  of  acceptance  and 
rejection. 

The  two  equations  expressing  r  as  a 
function  of  n  are: 

Accept  Line  rn  =  -h^  +  ns 

Reject  Line  r  =  h.  +  ns 
1  n  1 

where 


n  =  Sample  size  (number  of  events  or 
tests  attempted)  when  r  failures 
are  observed. 

r  =  Total  number  of  failures  observed 
in  sample  size  n 


It  is  frequently  desirable  to  express 
the  accept/reject  criteria  as  the  number  of 
tests,  n,  required  for  decision  for  a  given 
number  of  failures,  or  n  as  a  function  of  r. 
In  this  event,  the  preceding  line  equations 
are  easily  solved  for  n  as  follows: 

hft  r 

Accept  Line  n,  =—  +  -2. 

ASs 

-h  r 

Reject  Line  nD  = — l  +  _!L 

n  s  s 

EXAMPLE:  Reliability  Acceptance 

Test.  A  sequential  test  for  MTBF 
acceptance,  designed  for  6 0  =  200 
hours,  dj  =  100  hours,  and  a  =  /S  =  10, 

is  based  on  an  assumption  of  random 
equipment  failure,  which  is  often 
experienced  by  equipments  of  mature 
conventional  design.  Let  us  assume 
that  0Q  and  6 1  were  calculated  from 
SOR  reliability  requirements,  which 
called  for  values  of  .97  (nominal)  and 
,94(minimum acceptable),  respectively, 
for  a  6-hour  mission,  as  represented 
by  Figure  7-10. 


o  6  TIME  in  hours 

Figure  7-10.  Reliability  Function 
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Assume  further  that  a  design  feasibility 
s'udy  has  revealed  the  reliability 
requirement  cannot  be  met  by  con¬ 
ventional  design.  As  a  result,  a  new 
design  incorporating  redundancy  has 
been  established,  and  it  is  now  pro¬ 
posed  that  models  of  this  new  design 
be  tested  to  determine  that  required 
reliability  has  been  achieved.  Since 
the  rate  of  failure  may  no  longer 
follow  the  random  pattern  because 
of  the  redundancy  employed,  the  MTBF 
test  previously  designed  may  not  be 
suitable.  Therefore,  with  reference  to 
the  equations  of  Step  3,  the  accept/ 
reject  equations  for  the  non¬ 
exponential  situation  would  be  derived 
as  follows: 


For  comparison  on  a  basis  consistent 
with  the  MTBF  test,  the  line  equations  are 
solved  to  express  n  as  a  function  of  r,  and 
they  result  in  the  following  accept/reject 
criteria: 

Accept  when  n  >74.5  +  24.5  rn 

Reject  when  n  <  -74.5  +  24.5  rn 

These  two  lines  are  plotted  in  Figure 
7-11,  with  several  values  of  r„  and  n  sub¬ 
stituted  in  the  equations,  as  shown  in  the 
Figure  7-12. 

To  illustrate  use  of  the  test  plan, 
four  possible  results  of  testing  are  plotted: 


2.20 

0.723 


3.04 


s  = 


Lr 

Rl  -  .03)1 

.(1  -  .06). 

u 

'.06(1  -  .03) 

Lnl 

,03(1  -  ,06)J 

Ln  9 
Ln  2.06 


Ln  9 
Ln  2.06 


Ln  1.03 
Ln  2.06 


=  ^95  =  o  0408 
0.723 

The  accept  line  is  defined  by 


r  =  -3.04  +  ,0408n 

n 

The  reject  line  is  defined  by 
r  =  3.04  +  .0408n 

n 


(1)  Four  failures  occurred  prior  to 
completion  of  23  tests,  causing  a 
reject  decision. 

(2)  Completion  of  75  tests  occurred 
prior  to  the  first  failure,  causing 
an  accept  decision. 

(3)  Ten  failures  occurred  prior  to 
completion  of  170  tests,  causing 
a  reject  decision. 

(4)  Completion  of  320  tests  occurred 
prior  to  the  11th  failure,  causing 
an  accept  decision. 

Each  “test”  or  “sample"  in  this 
example  refers  to  an  attempt  to  operate  an 
equipment  for  a  period  of  6  hours  (tm) 

between  inspection  and  repair  or  replace¬ 
ment,  if  needed,  of  the  redundant  item. 

EXAMPLE:  Availability  Acceptance 
Test.  For  the  equipment  used  in  the 
previou  example,  let  us  assume  that 
an  availability  requirement  has  been 
specified  in  addition  to  the  reliability 
requirement  (Aq)  is  .97,  and  that  for 
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SAMPIE  SIZE,  n 
(NUMBER  OF  TESTS) 


CUMULATIVE  FAILURES,  r 


Figure  7-11.  Sequential  Test  Plan  (Non-Exponential)  for  p0  =  .97;  p1  =  .94;  a  =  / 3  =  10% 


Number  of  Failures 

Minimum  Sample  to  Accept 

Maximum  Sample  to  Reject 

(r) 

(nA) 

(nR) 

0 

75 

N/A 

1 

99 

N/A 

2 

124 

N/A 

3 

148 

N/A 

4 

173 

23 

5 

197 

48 

6 

222 

72 

7 

246 

97 

8 

271 

121 

9 

295 

146 

10 

320 

170 

11 

344 

195 

12 

369 

219 

13 

393 

244 

14 

418 

268 

Figure  7-12.  Accept/Reject  Numbers  (Failures)  as  a  Function  of 
Number  of  Tests  or  Sample  Size  (n) 
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jS  =  .1  the  minimum  acceptable  avail¬ 
ability  requirement  (A^)  is  .94. 
(Although  Aq  and  A  often  exceed  RQ 
and  Rp  respectively,  the  same  values 
are  used  here  to  facilitate  using  the 
test  plan  designed  in  the  previous 
example.)  Since  availability  is  a 
measure  of  system  “readiness”  to 
operate  (on  demand)  at  the  start  of  a 
mission,  the  availability  test  will 
assess  whether  the  equipment  is  oper¬ 
ational  or  can  be  made  operational 
within  a  prescribed  period  of  warning 
time.  From  a  practical  standpoint, 
the  warning  time  is  necessitated  by 
normal  equipment  turn-on,  warm-up, 
and  operational  checkout  required  to 
transfer  a  system  from  standby  to 
“full-on”  condition. 

Assume  here  that  it  takes  15  minutes 
to  get  the  system  into  operational 
condition.  The  availability  “sample” 
test  vvould  then  consist  of  one  attempt 
to  turn  on,  warm  up,  and  check  out 
the  system  within  15  minutes.  The 
test  plan  of  the  previous  example  may 
be  used  directly  for  the  availability 
test,  except  that  the  time  period  of 
interest  is  15  minutes  of  operation 
instead  of  6  hours  as  used  for  the 
reliability  test.  The  failure  criteria 
for  availability  tests  are  likely  the 
same  as  those  used  for  the  reliability 
test.  Test  “samples”  are  selected  at 
random  points  in  time. 


STEP  4  —  develop  ^e  OC  Curve 

_____)  for  the  Sequential  Reliability 
Test  Plan 


true  proportion  defective  of  the  items  being 
tested)  is  given  approximately  by: 


L(p)  = 


Ah-1 
Ah  -  Bh 


where 


_1*0 


-fe) 

P,\h  /i  -  pAk 


Po/  \  Pi 


The  OC  curve  is  determined  by 
assigning  values  to  h  and  solving  for  L(p) 
and  p.  Five  points  on  the  OC  curve  are 
shown  in  Figure  7-13.  From  these  points,  a 
rough  sketch  of  the  OC  curve  (Figure  7-14) 
can  be  made  to  determine  whether  additional 
points  are  needed  for  the  desired  accuracy. 


0 

P 

hj/Oip+hj) 

1  -  a 

1 


The  operating  characteristic  (OC) 
curve  for  the  sequential  plan  (i.e.,  the 
probability  of  accepting  H0  when  p  is  the 


Figure  7-13.  Five  Points  on  the  OC  Curve 


502 


h, 

h|  -F  h0 


p0  =  .03  .0405  p,  -  .06 

PROPORTION  DEFECTIVE,  p 

Figure  7-14.  Sketch  of  the  OC  Curve 


STEP  5  -  Estimate  Expected  Number  of  Tests  Required  for  Decision 

With  a  sequential  reliability  test  plan  the  expected  (average)  number  of  tests  required 
to  reach  a  decision  is  a  function  of  the  actual  (or  true)  proportion  defective  (p)  of  the  items 
tested  and  may  be  calculated  approximately  as  follows: 

E  (r)  _  L(p)  Ln  B  +  (1  -  L(p))  Ln  A 


p  Ln(P°)  +  (1  -  p)  Ln(i — Pi] 

IP  of  J  L  U  -  Pol 


where 

A=(1-^ 

a 

and 

"3 

<0.  , 

r-^ 

II 

CO 

The  curve  of  Ep(r)  versus  p  is  determined  by  first  choosing  values  of  proportion  de¬ 
fective  (p)  together  with  the  corresponding  values  from  the  OC  curve  and  test  design,  and 
solving  for  Ep(r).  Five  values  of  Ep(r)  may  be  calculated  more  easily  than  other  points  and 
may  be  used  to  sketch  the  curve.  Figure  7-15  presents  these  values  for  the  example  test 
design. 
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I 


p 

EpM 

=  1 

hl 

Ei(r)  - -  =  4  (a  minimum) 

(1  -  s) 

fj 

'O 

II 

o 

o\ 

(1  -  /3)h,  -  /3h0 

E  (r)  =  1  °  =  127 

pl  Pl-s 

=  s  =  .0405 

E.(r)  =  - — =  236  (maximum) 

8  s(l-s) 

=  p0  =  .03 

(1  -  a)hn  -  ah, 

E  (r)  0  1  -  225 

P°  s  -  pQ 

=  0 

h0 

En(r)  =  —  =  75  (a  minimum) 
u  s 

Figure  7-15.  Five  Points  on  the  Ep(r)  Curve 


From  the  points  in  Figure  7-15,  a  sketch  of  the  curve  may  be  made  as  shown  in 
Figure  7-16.  Such  a  sketch  may  often  be  sufficient  for  test  estimating  purposes.^  However, 
additional  points  of  particular  interest  may  be  calculated. 

While  the  curve  of  Figure  7-16  presents  the  average  number  of  tests  to  reach  a  decision 
for  a  given  proportion  defective,  the  actual  number  of  tests  in  any  one  test  situation  may  be 
either  significantly  lower  or  up  to  three  times  the  average  number  of  tests.  Furthermore,  the 
decision  whether  to  accept  or  reject  depends  on  the  OC  curve  and  not  on  the  number  of  tests. 


^/Requests  for  proposals  should  instruct  bidders  to 
base  cost  estimates  on  the  expected  number  of 
tests  when  the  actual  proportion  defective  cor¬ 
responds  to  the  “nominal”  reliability  requirement. 
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7-4  TRUNCATION  OF  ACCEPTANCE  TEST  PLANS 


7-4-1.  General 

When  a  sequential  test  plan  is  used, 
there  are  rare  occasions  in  which,  because 
of  marginally  acceptable  MTBF,  reliability, 
or  availability,  a  decision  boundary  may  not 
be  crossed  even  after  continuous  testing. 
In  order  to  avoid  this  contingency,  decision 
rules  to  truncate  the  test  should  be  estab¬ 
lished  in  advance  of  the  test.  Truncation,  or 
termination  of  the  test  prior  to  crossing  of  a 
decision  boundary,  usually  occurs  when 
either  a  maximum  number  of  failure,  a  max¬ 
imum  number  of  tests  or  hours  of  test,  or  a 
combination  of  both  of  these  is  reached. 
The  a  and  /9  risks  at  truncation  are  affected 
by  where  the  truncation  occurs.  In  general, 
early  truncation  results  in  a  substantial 
increase  in  either  a  or  /S  or  both,  and  trun¬ 
cation  after  a  substantial  amount  of  testing 
causes  an  increase  in  risk  that  is  of  no 
practical  engineering  significance. 


7-4-2.  Procedural  Steps 

A  truncation  method  based  on  a 
maximum  number  of  failures  is  shown  below 
for  a  single  sampling  plan.  It  is  believed 
that  this  method  of  truncation  often  will  be 
practical  for  sequential  acceptance  test 
plans.  However,  if  the  test  program  will 
allow  additional  testing  to  avoid  significant 
increase  in  risk  at  truncation,  the  truncation 
maybe  established  at  three  times  the  number 
of  failures  required  for  truncation  of  the 
single  sampling  plan  (the  latter  method  of 
truncation  is  used  for  H108  sequential 
plans). 


The  method  for  truncating  to  be 
described  requires  inputs  of  values  for  a,  (3, 
and  6i/d0  or  po/pi.  as  applicable,  and 
makes  use  of  a  "Thorndike  Chart”,  which 
is  presented  in  Chart  2-H  of  Appendix  2.  To 
illustrate  the  method,  a  test  plan  having 
a  =  0  =  .10  and  0 i/dQ  or  p0/pi  =  -20  will  be 
truncated. 


Define  "probability  of  r  or 
fewer  failures”  ordinates 
for  Chart  2-II  corresponding  to  (1  -  a)  and  0. 
For  this  test,  the  ordinates  will  be  .9  and  .1, 
respectively. 


Determine  from  Chart  2-II 
abscissa  values  of  np  corre¬ 
sponding  to  the  ordinates  of  Step  1  and 
values  of  r  (number  of  failures).  The  values 
of  r  to  be  used  are  determined  first  by  start¬ 
ing  with  r  =  0  and  then  by  using  for  guidance 
the  results  of  Step  3. 


Calculate  the  ratio  of 
np.g/np.i  for  each  value 
of  r  used  in  Step  2  until  you  find  the  small¬ 
est  r  value  that  will  give  a  ratio  of 
np.9/np.i  that  is  greater  than  0i/0o  or 
p0/pi  for  your  test  plan.  The  tabulation  of 
Step  4  indicates  the  desired  value  of  r  is  2 
since  r=2  yields  the  ratio  np.p/np, j=.209 
which  exceeds  our  0j/0o  value  of  .2  andno 
smaller  value  of  r  yields  a  ratio  greater 
than  .2. 


STEP  1 


STEP  2 


STEP  3 
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STEP  4 


-  Tabulate 


the  results  as  follows: 


r 

nP(l  -  a)  =  nP.9 

npp  =  np  j 

np  9/np  j 

*0 

.11 

2.30 

.048 

1 

.53 

3.89 

.136 

JL 

1.11 

5.32 

.209 

3 

1.75 

6.68 

.262 

Truncate  the  test  at  the 
number  of  failures  (r^)  that  is 

equal  to  one  plus  the  number  of  failures 
identified  in  Step  4  --  in  this  case,  at  three 
failures. 


STEP  5 


For  the  MTBF  test, 

T-r0s 


For  the  reliability  test, 

t=-Q- 

s 


Truncate  the  test  at  the 
number  of  hours  or  number  of 
tests  that  corresponds  to  r^and  is  determined 
by  the  slope  of  the  selected  test  plan. 


For  test  plans  commonly  considered, 
the  number  of  failures  required  for  truncation 
is  given  for  various  discrimination  ratios 
and  risk  values  in  Figure  7-17. 


STEP  6 


V»o 

or 

P(/pl 

a  =  .05 
/3=  .05 

a  =  .05 
/3=  .10 

a  =  .10 

/S=  .05 

a  =  .10 

/3=  .10 

■ 

1/10 

3 

3 

2 

2 

1 

1/5 

5 

4 

4 

3 

2 

1/3 

10 

8 

8 

6 

3 

1/2 

23 

19 

18 

15 

7 

2/3 

67 

55 

52 

41 

18 

Figure  7-17.  Failures  Required  for  Truncation,  Based  on  Single  Sampling  Plan 
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Truncation  at  other  ration  of  6\/6q 
between  1/10  and  2/3  for  the  risk  pairs  in 
the  table  shown  in  Figure  7-17  maybe  deter¬ 
mined  with  practical  accuracy  by  graphical 
interpolation. 


For  truncation  beyond  the  range  of  the 
table  and  Chart  2-11,  consult  tables  of  the 
“Summation  of  Terms  of  Poisson’s  Expo¬ 
nential  Binomial  Limit”. 


7-5  COMPARISON  OF  MTBF  (EXPONENTIAL) 

AND  PROPORTION  UNRELIABLE  (NON-EXPONENTIAL) 
SEQUENTIAL  ACCEPTANCE  TEST  PLANS 


The  sequential  test  plans  used  as 
examples  in  this  section  may  be  used  to 
provide  a  limited  comparison  of  the 
exponential  and  non-exponential  tests. 

In  the  MTBF  test,  total  test  time  is 
plotted  on  the  ordinate.  In  order  to  compare 
the  MTBF  test  to  the  reliability  test,  which 
has  “number  of  6-hour  tests”  as  an  ordinate, 
simply  divide  the  total  test  time  of  the  MTBF 
test  by  six,  the  length  of  test  in  the  non¬ 
exponential  test  plan.  When  the  plans  are 


compared  for  a  given  number  of  failures,  the 
relative  test  length  may  then  be  seen. 

For  the  example  plans  of  this  chapter, 
three  points  are  tabulated  in  Figure  7-18 
to  illustrate  the  comparison. 

In  general,  decisions  in  the  MTBF 
test  can  be  made  in  a  shorter  time  than  the 
time  required  for  decision  in  the  non¬ 
exponential  test. 


Number  of 
Failures 

EXPONENTIAL 

NON-EXPONENTIAL 

TA/6 

TR/6 

Minimum  Sample 
to  Accept 

Maximum  Sample 
to  Reject 

C 

73 

75 

— 

4 

167 

20 

173 

23 

10 

306 

160 

320 

170 

Figure  7-18.  Comparison  of  Exponential  and  Non- Exponential  Sequential  Tests 

for  K  =  H;  a  -  /S  -  .1 
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8-1-1  to  8-1-2 


CHAPTER  8 

RELIABILITY  EVALUATION,  FAILURE  ANALYSIS, 
AND  CORRECTION  -  THE  “FEEDBACK”  LOOP 

8-1  INTRODUCTION 


8-1-1.  General 

Successful  or  satisfactory  operation  — 
the  goal  of  all  design  efforts  —  yields  little 
information  on  which  to  base  improvements. 
Failures,  on  the  other  hand,  contribute  a 
wealth  of  data  of  "what  to  improve”  or  “what 
to  design  against”  in  subsequent  efforts. 
The  feedback  of  information  obtained  from 
the  analysis  of  failures  is  one  of  the  principal 
stepping  stones  of  progress. 

Failure  data  are  recorded,  reported, 
and  controlled  in  many  ways  —  from  the 
sophistical  ed  “controlled  surveillance” 
approach  where  personnel  are  specifically 
assigned  to  record  all  occurrences  of  failure 
accurately  and  in  detail,  to  the  “uncontrolled” 
approach  where  maintenance  personnel  are 
relied  upon  to  record  failure  events  on 
standard  forms  and  to  forward  the  forms  to 
central  collection  agencies  on  a  routine 
basis. 

8-1-2.  Data  Forms 

Data  forms  currently  employed  for 
routine  failure  reporting  by  Fleet  personnel 
are: 

•  DP  787,  “Electronic  Failure  Report”. 
This  report  is  the  forerunner  of  most 
failure  reporting  systems.  It  is  currently 
being  replaced  by  several  of  the  newer 
forms  listed  below. 


•  NAVORD  2214,  “Ordnance  Equipment 
Casualty  Report*’.  This  form  is  used 
to  report  failures  on  non-electronie 
naval  ordnance  equipments.  It  is  being 
replaced  by  NAVWEPS  Form  8000/13. 

•  NAVWEPS  Form  8000/13,  “Weapon 
Systems  Component  Failure  Report”. 
This  form  supersedes  both  DD  787  and 
NAVORD  2214  as  the  basic  reporting 
form  for  ordnance  equipment,  both 
electronic  and  mechanical.  It  requires 
recording  of  maintenance  as  well  as 
failure  data. 

•  NAVAER-3067  (FUR),  “Failure,  Un¬ 
satisfactory  or  Removal  Report”.  This 
is  a  failure  reporting  form  in  wide  use 
for  airborne  equipment. 

•  4ND-NATSF- 13070/6,  “Electronic 
Equipment  Failure,  Removal,  Repair 
Report”.  This  form  is  being  introduced 
with  new  avionics  equipments.  It 
supersedes  DD  787  and  NAVAER-3067 
for  this  category  of  equipment. 

•  BuShips  10551-1,  “Electronic  Equip¬ 
ment  Failure/Replacement  Report”. 
This  form  replaces  DD  787  for  equip- 
ment  under  cognizance  of  the  Bureau 
of  Ships. 
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Other  data  forms  in  use  by  specific 
Held  activities  and  contractors  differ,  in 
general,  only  in  format,  entry  coding,  and 
degree  of  detail  recorded.  The  following 
entries  may  be  considered  standard  on  all 
forms. 


•  Parts  repaired  or  replaced  —  by  name 
and  reference  designator. 

•  Technician’s  analysis  of  part  failure 
and  cause  of  the  trouble. 

•  Date  of  report  or  trouble,  and  report 
number. 

•  Identification  of  higher  level  assemblies 
and  equipments. 

•  Effect  of  failure  on  performance. 

•  Status  of  equipment  and  type  of 
maintenance  action  when  failure  was 
discovered  and  repaired. 

•  Time-meter  readings  of  the  higher  level 
assemblies. 

•  Maintenance  man-hours  and  calendar 

time  to  repair  trouble. 

•  Space  for  remarks. 

•  Individual  and  activity  filing  report. 


These  basic  data  will  permit  the  isolation, 
identification,  and  ranking  of  reliability  (and 
maintainability)  problem  areas  without  re¬ 
quiring  detail,  accuracy,  or  coverage  in  ex¬ 
cess  of  that  presently  attained  by  the  routine 
or  " uncontrolled’  ’  data  systems  in  common  use. 


8-1-3.  The  Feed  bock  Loop 

A  comprehensive  failure  analysis  and 
corrective  action  feedback  loop  must  deter¬ 
mine: 


What  failed. 
How  it  failed. 
Why  it  failed. 


Failure  data  provide  information  to  determine 
the  first  two  factors.  The  third,  essential  to 
corrective  action,  usually  requires  information 
which  can  be  obtained  only  by  laboratory 
study  of  the  problem  areas  uncovered  by 
failure  analysis. 


This  chapter  of  the  handbook  is  de¬ 
voted  primarily  to  the  analysis  of  failure 
data.  Although  emphasis  is  placed  on 
reliability,  the  procedures  are  applicable  to 
the  analysis  of  maintainability  problems  and 
estimates.  An  example  of  the  detailed 
laboratory  analysis  of  “why  it  failed”  is 
presented  in  Paragraph  8-5,  using  the  test 
techniques  presented  in  Chapter  6  of  the 
handbook. 


Maximum  utilization  of  a  failure  report¬ 
ing  system  occurs  only  when  the  results  are 
analyzed  and  disseminated  in  a  form  which 
will  have  wide  application  to  new  system 
designs.  Several  methods  and  data  sources 
have  been  established  to  facilitate  the  ex¬ 
change  and  interchange  of  failure  experience 
within  the  military  services  and  industry. 
Paragraph  8-6  summarizes  those  sources 
which  are  considered  most  useful  to  the  Navy 
and  its  contractors. 
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Of  the  many  questions  which  may  be 
asked  of  a  failure  reporting  system,  the  most 
useful  and  most  readily  answered  is: 


What,  within  an  equipment, 
contributes  most  to  its  un¬ 
reliability? 


The  following  paragraphs  present  a 
step-by-step  method  of  analyzing  present 
failure  reports,  whether  originating  in  the 
Fleet,  at  a  test  facility,  or  at  a  contractor's 
plant,  in  order  to  answer  the  above  question. 


STEP  1 


—  Organize  the  Data. 


Arrange  the  data  first  by  identifiable 
units  or  subassemblies  within  the  subject 
equipment,  then  by  circuit  or  part  reference 
designation  within  each  unit  or  module,  and 
finally  by  cause  of  failure  within  each  part 
reference  designation.  (This  step  is  easily 
accomplished  by  machine  sorting  of  data 
transcribed  to  punch  card  or  tape  data 
systems.) 


Four  example  equipments  are  used 
extensively  throughout  this  section  to 
illustrate  the  step-by-step  procedures  for 


antenna  group  transmitter-receiver  synchroneer 


Figure  8-1.  Example  System  Block  Diagram 
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data  analysis.  Failure  data  are  recorded  on 
equipments  of  a  new  type  during  service 
evaluation  (repeated  flights  in  test  aircraft 
to  demonstrate  performance  capability).  The 
equipments,  packaged  into  modular  units,  are 
individually  identified  by  module  numbers 


running  consecutively  from  1  through  38. 
The  final  configuration  is  represented  in 
Figure  8-1. 

The  failure  data,  ordered  by  module, 
appeared  as  follows: 


Equipment 

Equipment 
Serial  No. 

Unit  or 
Module 

Part  Ref. 

Designation 

AN/XN-000 

- 

01 

- 

- 

- 

1 

02 

V 

201 

Tube 

2 

02 

V 

202 

Tube  \ 

2 

02 

V 

202 

Tube  1 

3 

02 

V 

202 

Tube  l 

1 

03 

Tolerance 

4 

03 

Adjust  / 

2 

03 

c 

304 

Capacitor 

3 

03 

CR 

313 

Diode 

1 

03 

0 

302^^J 

Transistor 

1 

03  / 

- J 

L - 

Plot  Failure  Data  by  Unit  Versus 
Number  of  Failures  per  Unit. 

On  the  basis  of  knowledge  of  the  equip¬ 
ment  derived  from  operator  handbooks  and 
maintenance  manuals,  obtain  a  list  of  all 
units  within  the  equipments  and  plot  the  failure 
data  as  shown  in  Figure  8-2  for  the  example 
equipments.  (The  number  of  units  exhibiting 
zero  failures  can  be  determined  only  if  the 
total  number  of  units  in  the  equipment  is 
known.) 

Inspection  of  Figure  8-2  reveals  that  3 
modules  out  of  the  38  contributed  more  fail¬ 


ures  than  all  their  companion  modules  — i.e., 
Modules  #03,  #27,  and  #38  contributed  60% 
of  the  total  failures  reported.  Each  of  these 
modules  should  now  be  analyzed  relative  to 
complexity  and  circuit  function,  to  determine 
if  in  fact  it  does  represent  a  “maverick” 
problem  (i.e.,  indicate  a  failure  rate  con¬ 
siderably  higher  than  should  be  expected  for 
its  level  of  complexity  and  function).  The 
module  may  exhibit  a  relatively  large  number 
of  failures  because  it  is  more  complex  in 
total  circuits  and  parts  than  others,  or  be¬ 
cause  it  contains  parts  which,  due  to  state- 
of-the-art  limitations,  are  relatively  short¬ 
lived  in  the  particular  application. 


STEP  2 
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—  Designate  the  “Maverick”  Units. 


Some  complex  items  may  appear  errone¬ 
ously  as  mavericks.  On  the  other  hand,  a 
very  simple  unit  may  exhibit  a  high  number  of 
failures  relative  to  complexity, yet  not  appear 
as  a  “unit”  problem.  It  is  therefore -neces¬ 
sary  to  “normalize”  the  observed  unit  failure 


NUMB®  OF  MODULES 


STEP  3 


data  with  respect  to  functional  complexity. 
If  all  units  are  approximately  equal  in  com¬ 
plexity,  then  it  can  usually  be  assumed  that 
no  hidden  mavericks  exist;  if,  on  the  other 
hand,  a  wide  variation  in  complexity  exists 
among  units,  it  is  important  that  unit  failures 
be  normalized  on  a  per-acti  re-element  basis 
(transistor,  tube,  relay,  motor)  before  mave¬ 
ricks  can  be  legitimately  designated. 


Figure  8-3.  Failure  Distribution  per  Active  Element/Module 
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Figure  8-3  shows  the  number  of  modules 
exhibiting  0,  1,  2,  3,  or  more  failures  per 
active  elements.  The  “expected”  shape  of 
this  homogeneous  set  of  data  is  shown  by  the 
smooth  curve  of  the  figure  (a  Poisson  prob¬ 
ability  function  as  described  in  Appendix  2). 
In  most  instances,  this  curve  can  be  sketched 
“by  eye”.  Modules  outside  or  beyond  the 
curve  are  “statistically”  different  from  the 
majority.  They  are  the  mavericks  which,  if 
corrected,  should  yield  the  most  reliability 
improvement  per  dollar.  Failure  rate  improve¬ 
ment  in  the  homogeneous  group  should  also 
be  considered  (Step  5  of  Paragraph  8-3)  as  a 
longer-range  objective,  following  a  clean-up 
of  the  mavericks. 

Normalized  module  failures  are  obtained 
by  dividing  the  number  of  observed  module 


failures  by  the  number  of  active  element 
groups  in  the  module.  The  number  of  AEG’s 
determined  from  the  design  data  on  the 
example  equipment  are  given  in  Figure  8-4. 

For  illustration,  consider  Modules  #38 
and  #17.  The  observed  failures  were  34  and 
5,  respectively,  Normalization  to  number  of 
failures  per  AEG  gives  the  following  results: 

Module  #38  34/29  =  1.2  failures  per  AEG 

Module  #17  5/1  =  5  failures  per  AEG 

Module  #17  is  classified  as  a  maverick  with 
5  failures,  whereas  Module  #38  is  within  the 
range  of  “expected”  AEG  failure  rales  even 
though  it  produced  34  failures  during  the 
same  period. 


Module 

AEG’s 

]  Module 

AEG’s 

1 

1  (Antenna) 

20 

Omitted 

2 

3 

21 

4 

3 

2 

22 

18 

4 

3 

23 

26 

5 

1 

24 

6 

6 

3 

25 

8 

7 

1 

26 

9 

8 

2 

27 

1  (Hydraulic  dr.) 

9 

2 

28 

3 

10 

1 

29 

1 

11 

6 

30 

7 

12 

4 

31 

6 

13 

6 

32 

4 

14 

1 

33 

0 

15 

4 

34 

Omitted 

16 

2 

35 

Omitted 

17 

1 

36 

2 

18 

Omitted 

37 

0 

19 

Omitted 

38 

29 

Total 

165 

Figure  8-4. 


Number  of  Active  Elements  in  Each  Module  of  the  Example  Equipment 
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Evaluate  Problems  Within 
Maverick  Modules. 


Steps  2  and  3  are  now  repeated  within 
each  of  the  modules  designated  as  maverick 
problems,  using  part  reference  designators 
in  lieu  of  modules  as  the  common  denominator. 
Where  relatively  few  parts  are  involved,  a 
review  of  the  part  data  will  usually  permit 
determination  of  those  parts  and  related 
applications  which  are  largely  responsible 
for  the  high  failure  rate  of  maverick  modules, 
as  illustrated  in  the  following  examples: 

Module  #03  Most  removals  were  of 
Transistor  Q  302.  Two 
other  transistors  and 
several  diodes,  resistors, 
and  capacitors  were  not 
removed.  The  21st  re¬ 
moval  was  a  faulty  termi¬ 
nal  strip. 


circuit/part  incom¬ 
patibility  problem  re¬ 
quiring  an  engineering 
analysis  for  solution. 

Module  #27  Connectors  were  removed 
during  routine  mainte¬ 
nance  because  of  cor¬ 
rosion.  Review  of  equip¬ 
ment  is  in  order  to 
determine  how  condensate 
gets  into  the  connector. 

Module  #17  Relays  were  removed  after 
equipment  became  inoper¬ 
ative  and  the  part  failure 
code  indicated  “Contacts 
DO  NOT  open/close’’. 
The  relay  application 
should  be  reviewed 
relative  to  the  relay 
specification. 


STEP  4 


Module  #27  All  ten  removals  were 
contributed  by  one  con¬ 
nector. 

Module  #17  Four  out  of  the  five  re¬ 
movals  were  of  one  relay. 

Module  #38  No  single  part  produced 
more  than  two  failures. 

Removals  or  repair  actions  that  have 
been  itemized  by  module  and  part  reference 
designator  normally  contain  information 
which  may  lead  directly  to  a  definition  of 
the  problem,  as  illustrated  in  the  following 
examples: 

Module  #03  Transistor  removals  from 
Q  302  were  primarily  the 
result  of  inability  to  ad¬ 
just  the  module.  However, 
removed  transistors  tested 
“OK".  This  indicates  a 


Define  Maintainability  Problem 
Area. 


The  preceding  steps,  as  applicable, 
should  be  repeated  in  order  to  extract  all 
available  maintainability  data  from  the  re¬ 
porting  forms  —  fault  location  time,  repair 
time,  waiting  time,  post-repair  checkout 
time,  maintenance  problems,  instrumentation 
difficulties. 


—  Follow  Up. 

The  analysis  illustrated  in  the  preced¬ 
ing  steps  can  prove  useful  and  effective  only 
if  follow-on  detailed  engineering  changes  are 
conceived,  tested,  and  introduced  into  exist¬ 
ing  equipments.  The  summarized  problems 
and  solutions  should  therefore  be  fed  back 
to  design  and  engineering  groups  for  the 
development  of  field  modifications  for 
existing  systems,  as  well  as  to  guide  the 
design  of  future  systems. 


STEP  6 


STEP  5 
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The  failure-reporting  procedures  in  use 
today  are  also  useful  for  the  estimation  of 
equipment  reliability  under  Fleet  “use” 
conditions.  The  accuracy  of  the  estimate  is, 
of  course,  dependent  upon  the  accuracy  of 
data  reporting  and  the  availability  of  adequate 
supporting  information.  Steps  which  may  be 
followed  in  estimating  equipment  reliability 
are  given  below. 


STEP  1 


Determine  the  Number  of 
—  Equipment  Failures  in  a 
Selected  Time  Period. 


Failure  reports  provide  an  estimate  of 
the  total  number  of  equipment  removals,  and 
recent  forms  also  cover  adjustment  and 
alignment  failures  where  no  parts  were  re¬ 
moved.  The  data  should  be  ordered  by 
date/time  sequence  and  equipment  time-meter 
readings,  as  well  as  by  report  number,  in 
order  to  aid  in  grouping  those  part  removals 
which  occurred  as  a  “cluster”  during  each 
repair  action  following  an  equipment  failure.!/ 
Preventive  maintenance  removals  should  not 
be  considered  in  determining  the  number  of 
equipments  to  be  used  in  the  reliability 
computation. 

Continuing  with  the  example,  a  total 
of  108  removals  was  reported  during  service 
evaluation  of  the  four  equipments.  Of  these, 
23  were  removed  during  preventive  mainte¬ 
nance,  with  no  indication  that  the  equipment 
was  in  a  failed  state.  This  left  85  removals 
associated  with  equipment  failures.  Analysis 
of  date/time  and  time-meter  readings  produced 
62  independent  equipment  operational  failures 


(44  during  flight,  and  18  during  ground 
operation). 


Obtain  Total  Number  of 
Equipment  Operating  Hours. 

The  number  of  equipment  operating 
hours  accumulated  during  the  same  time 
period  by  those  equipments  from  which 
data  were  obtained  (include  equipments 
which  accumulated  time  but  did  not  fail) 
must  be  secured  from  equipment  operating 
logs  and  major  system  logs  (flight  logs, 
ships  logs,  etc.).^  Where  large  numbers  of 
equipments  and  several  months  are  involved, 
the  estimated  number  of  hours  of  operation 
per  month  per  equipment  may  be  sufficiently 
accurate  for  estimating  purposes. 

Time  records  for  the  example  equip¬ 
ments,  based  on  aircraft  log  data  during  the 
evaluation  period,  are  summarized  as  follows: 

^u|^ment  Ground  Time  Flight  Time 


1  368  hours  163  hours 

2  980  «  420  « 

3  530  "  213  » 

4  276  "  210  " 

Totals  2154  hours  1008  hours 


STEP  2 


STEP  3 


—  Estimate  Reliability  or  MTBF. 


Flight  MTBF 

_  Total  Flight  Operate  Hours 
~  Total  Number  of  In-Flight  Failures 


Ifexperience  has  shown  that  between  1.2  and  2  parts 
are  removed  per  repair  action. 


1008 
"  44 


22.4  Hours 


8-9 


NAVWEPS  00-65.502 


8-3 


Ground  MTBF 
2154 

■~rrs 


120  Hours 


(Note:  If  the  data  do  not  include  adjustment 
and  alignment  failures,  this  estimate  is 
likely  to  be  optimistic.) 

Statistical  confidence  intervals  can  be 
placed  upon  these  estimates,  if  desired  (see 
Appendix  3). 


potential  gain  which  may  be  used  as  justifi¬ 
cation  for  corrective  action. 

Assume  that  failures  from  maverick 
modules  of  the  example  equipment  can  be 
reduced  to  the  average  number  of  failures  of 
the  remaining  modules  (.54  failures/AEG/ 
module).  This  represents  a  reduction  of  24 
failures  for  the  time  accumulated  during 
service  evaluation,  as  shown  in  Figure  8-5. 
It  can  be  assumed  that  this  reduction  would 
be  proportionately  divided  between  ground 
and  in-flight  failures. 


STEP  4 


Assess  Possible  Improvement 
—  by  Reduction  of  Problem  Unit 
Failures. 


Predicted  Potential  Flight  MTBF 

_ _ Total  Operate  Hours _ 

Observed  Failures  -  Potential  Reduction 


1008 
"  44-17 


=  37  Hours 


A  comparison  between  the  observed 
reliability  computed  in  Step  3  and  that 
predicted  by  elimination  of  the  problems  in 
maverick  modules  provides  a  measure  of 


There  is,  therefore,  a  potential  increase 
from  22  to  37  hours  in  flight  reliability 
(MTBF)  by  treating  maverick  problems  alone. 
This  is  illustrated  in  Figure  8-6. 


Module 

Removals 

Expected 

Observed 

Avg/AEG/Module 

Reduction 

#03 

21 

.54  x  2  =  1.1 

19.9 

#17 

5 

.54  x  1  =  .5 

4.5 

#27 

10 

(Preventive 

Maintenance) 

.54  x  1  =  .5 

—  * 

Total  Reduction  -  24.4 


In-Flight  Reduction  =~$2~x  24.4  =  17 

*  Preventive  maintenance  removals  do  not  indicate  a  failed  system.  Thus,  reduction  of 
preventive  maintenance  removals  will  not  influence  system  reliability  directly. 


Figure  8-5.  Potential  Reduction  in  Maverick  Problems 
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R(t) 


Figure  8-6.  Estimated  Equipment  Flight  Reliability,  Present  and  Potential, 
Based  on  an  Analysis  of  Failure  Data 


STEP  5 


Evaluate  the  “Ambient” 
Problem. 


The  preceding  steps  have  dealt  with 
the  more  outstanding  “maverick”  problems 
that  jeopardize  equipment  reliability  - 
problems  readily  apparent  to  the  data  analyst. 
The  other  general  classification  of  problems 
hidden  in  the  failure  pattern  of  Figure  8-3  is 
called  the  “ambient”  problem  -  not  so 
readily  discernible,  and  generally  not  so 
easily  corrected.  This  ambient  problem, 
accounting  for  the  high  average  failure  rate 


of  the  homogeneous  group  of  the  distribution, 
is  largely  attributable  to  environmental 
factors  (thermal,  shock,,  and  vibration)  and 
application  stresses  (use  conditions  versus 
rated  conditions)  which  are  peculiar  to  a 
particular  installation  requirement.  These 
are  the  factors  which  explain  the  seven-to-one 
ratio  in  MTBF  experience  between  shipboard 
systems  and  airborne  systems  of  comparable 
complexity,  as  discussed  in  Chapter  1. 

Significant  reliability  improvements 
can  be  achieved  through  effective  treatment 
of  stringent  ambient  conditions,  although  the 
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cost  in  space,  weight,  repackaging,  cooling, 
voltage  control,  and  overall  parts  derating 
may  be  prohibitive  as  a  redesign  “retrofit” 
measure.  Effective  treatment  of  the  problem 
requires  supplemental  information  not 
generally  available  through  the  failure  re¬ 
porting  system.  In  the  airborne  systems 
just  discussed,  for  example,  it  would  be 
necessary  to  perform  in-flight  measurements 
of  ambient  and  “hot-spot”  temperatures, 
vibration  levels  and  frequencies,  voltage 
levels,  and  transients.  With  these  measure¬ 
ments,  operating  stress-levels  can  be 
precisely  defined  at  the  part  level,  to  indicate 
the  need  for,  and  the  nature  of,  required  de¬ 
sign  improvements. 


EXAMPLE:  An  in-flight  thermal  survey 
conducted  on  the  airborne  equipment 
used  in  the  foregoing  example  dis¬ 
closes  a  steady  state  ambient 
temperature  within  modules,  ranging 
from  60°C  to  120°C.  Control  of  this 
ambient  range  to  a  60°C  upper  .limit 
would  reduce  the  average  failure  rate 
of  the  homogeneous  portion  of  the 
failure  distribution  by  a  factor  of 
three-to-one.  This,  combined  with  the 
reduction  of  maver:  previously 

discussed,  could  yie  ’ive-to-one 
improvement  in  equipm*  .TBF.  The 
predicted  reliability  function  for  this 
case  is  also  shown  in  Figure  8-6. 


8-4  MAINTAINABILITY  EVALUATION 


PROBABILITY  OF  SUCCESS, 
OR  PROBABILITY  OF  REPAIR 


MAINTAINABILITY 
*  FUNCTION 


RELIABILITY 
/  FUNCTION 


Figure  8-7.  Reliability  and  Maintainability  Time  Functions 
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Maintainability  is  expressed  as  a  prob¬ 
ability  of  repair  in  a  given  time.  The 
maintainability  function,  as  contrasted  with 
the  reliability  function,  is  generally  of  the 
log-normal  shape  illustrated  in  Figure  8-7. 

The  step-by-step  procedure  for  estimat¬ 
ing  the  maintainability  of  an  equipment 
follows. 


STEP  2  -  Estimate  Mean-Time-To-Restore 

Divide  the  total  repair  or  maintenance 
hours  by  the  number  of  repair  actions  (mainte¬ 
nance  hours  are  the  calendar  hours  the  equip¬ 
ment  is  being  worked  on  and  should  not  be 
confused  with  maintenance  man-hours  per 
repair  action). 


Tabulate  Reported  Maintenance 
Times  in  Ascending  Order. 


Repair  times  were  reported  on  72  of  the 
1Q8  repairs  performed  on  the  example  equip¬ 
ments.  These  72  times  were  arranged  in 
ascending  order,  as  illustrated: 
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The  mean-time-to-restore  of  the  example 
equipment  is  calculated  as: 

-^r  =  3  hours 


-  Plot  the  Repair  Times  to 

STEP  3  —  Determine  the  Frequency 
Distribution. 


The  repair  times  grouped  into  equal 
intervals  are  plotted  as  shown  in  Figure  8-8. 
This  plot  is  called  a  frequency  distribution, 
which  represents  the  number  of  instances  in 
which  various  repair  times  were  required  to 
correct  a  failure. 


RS»AJR  TIME  PER  FAILURE  IN  HOURS 
Figure  8-8.  Plot  of  Repair  Times  per  Repair  Action 
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—  Estimate  the  Maintainability  Function. 


The  maintainability  function  can  be  estimated  by  computing  the  following  probability  of 
repair  for  each  time  interval  in  Figure  8-8: 


Probability  of  Repair  =  Total _Repair  Actions  Completed jn  Time  jor  Less 

Total  Repair  Actions 


A  plot  of  these  values  versus  the  time  t  provides  the  desired  maintainability  function 
(Figure  8-9).  From  this  plot  it  can  be  stated  that  50%  of  the  repair  actions  will  be  completed 
in  2.5  hours  or  less  and  90%  will  be  completed  in  6  hours  or  less. 
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g^,gpg  _  Assess  Potential  Maintain- 
— __ _ —  ability  Improvement _ 

Upon  determining  that  the  long  time 
to  repair  items  can  be  reduced,  it  is  possible 
to  plot  a  predicted  maintainability  function 


for  comparison  with  the  observed  function. 
Either  the  median  values  (i.e.,  50th  per¬ 
centile)  or  the  mean  values  of  the  two  dis¬ 
tributions  can  be  used  to  assess  the  degree 
of  improvement  as  shown  in  Step  2  of 
Paragraph  8-3. 


8-5  CORRECTIVE  ACTION 


8-5-1.  Failure  Patterns 

The  preceding  failure  isolation  and 
evaluation  analyses  describe  the  system 
status  and  indicate  whether  corrective  action 
will  produce  significant  improvements.  These 
analyses  do  not  indicate  the  specific  cor¬ 
rective  actions  which  may  be  employed  in 
system  improvement.  Additional  analysis  of 
failure  reports  will  often  suggest  the 
appropriate  corrective  action.  Typical 
questions  which  may  be  answered  by  this 
analysis  are: 

•  Does  the  recorded  cause  of  failure  or 
reason  for  removal  indicate  a  repetitive 
application,  environmental,  or  design 
problem? 

•  Is  there  a  difference  in  unit,  module, 
or  part  removals  due  to  physical 
location  or  application? 

•  Would  a  scheduled  replacement  time 
reduce  the  number  of  in-service  failures 
of  short-lived  components? 

•  Are  long  maintenance  times  con¬ 
sistently  related  to  given  repair 
actions? 

Each  of  the  above  questions,  plus 
others  of  a  more  specific  nature  on  a  given 
equipment  or  part  type,  may  be  answered 


fully  or  in  part  by  failure  data  when  combined 
with  supporting  information  on  the  equipment 
and  its  usage. 

EXAMPLE:  Connectors  were  too  fre¬ 
quently  removed  from  Module  #27  of 
the  example  equipment.  The  reason 
for  the  removal  was  reported  as  “cor¬ 
rosion”.  Occasional  remarks  indicated 
that  water  dripped  into  the  compartment. 
Recommended  approach:  (1)  Determine 
if  the  compartment  was  designed  to  be 
or  could  easily  be  made  watertight;  (2) 
if  not,  initiate  a  field  change  to  install 
waterproof  connectors. 

Actual  Solution:  The  compartment  was 
essentially  waterproofed  by  installing 
a  sheet  metal  drip  guard  over  the  com¬ 
partment  opening  to  prevent  con¬ 
densation  from  dripping  onto  the 
connectors. 

8-5-2.  Scheduled  Replacement 

The  question  of  replacement  time  for 
components  which  appear  to  operate  satis¬ 
factorily  for  some  length  of  time  and  then 
begin  to  fail  rapidly  (or,  conversely,  for 
components  which  never  seem  to  last  more 
than  a  few  hundred  hours)  can  be  partially 
answered  through  failure  data  that  give  the 
reference  designation  and  time-meter  read¬ 
ings  on  the  equipment.  Gyros,  magnetrons, 
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other  high-power  tubes,  rotating  and  high-wear 
devices,  sealed  modules,  and  so  on,  can 
exhibit  wearout  phenomena  prior  to  the  end 
of  equipment  service  life. 

The  shape  of  the  reliability  function 
can  be  easily  estimated  by  a  plot  of  the 
probability  of  survival  versus  various  time 
intervals. 


These  data  were  then  employed  to  ob¬ 
tain  the  reliability  function  given  in 
Figure  8-10  (the  computational  pro¬ 
cedures  are  shown  on  the  figure). 
From  Figure  8-10,  it  can  be  estimated 
that  a  replacement  schedule  of  600 
hours  would  decrease  in-flight  failures 
by  as  much  as  50%. 


EXAMPLE:  A  gyro  installed  in  12 
equipments  repeatedly  failed  after  a 
few  hundred  hours  of  operation.  For 
analysis,  field  data  on  this  gyro  from 
the  12  equipments  were  ordered  by 
failure  report  number  (or  date/time 
sequence)  within  a  fixed  time  interval, 
as  illustrated: 

The  total  elapsed  time  was  arranged 
in  ascending  order  for  the  30  obser- 
vations: 
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8-5-3.  Laboratory  Analysis 

Other  questions  can  be  answered  by 
similar  methods  of  organizing,  classifying, 
and  combining  the  basic  data.  It  must  be 
borne  in  mind  that  field  failure  dtta,  in  their 
present  state,  do  not  always  provide  irrefutable 
results,  but  they  do  provide  an  indication  of 
problem  areas  and  estimates  which  are  useful 
to  design  engineers,  project  engineers,  and 
management  personnel  in  improving  existing 
designs  and  avoiding  repetition  of  errors  in 
the  next  generation  of  equipments. 

More  often,  however,  additional  de¬ 
tailed  laboratory  studies  are  required  in  order 
to  fully  establish  the  causes  of  failure  and 
to  recommend  a  “fix”.  Regression  analysis 
(step-by-step  procedures  are  given  in 
Chapter  6)  is  the  most  widely  used  approach 
to  these  laboratory  studies.  A  brief  dis- 
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Figure  8-10.  Observed  Flight  Reliability  for  a  Gyro 
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cussion  of  the  application  of  regression 
techniques  to  a  typical  circuit  problem  will 
illustrate  the  laboratory  approach  to  closing 
the  feedback  loop. 

EXAMPLE :  A  multivibrator  circuit  in 
an  airborne  application  was  classified 
as  a  maverick  because  of  an  excessive 
number  of  Qj  transistor  removals. 
Upon  testing  the  transistors,  however, 
it  was  found  that  they  checked  "OK” 
relative  to  specification  limits. 

To  determine  the  effect  of  transistors 
on  circuit  performance  (Figure  8-11)  % 
4  production  circuits  were  randomly 
selected  and  each  was  operated  with 
60  different  transistors.  The  results 
are  shown  in  Figure  8-12. 

Figure  8-12  indicates  that  the  average 
or  mean  frequency  was  very  close  to 
the  specified  minimum  for  the  circuit. 
A  large  percentage  of  the  outputs  fell 
below  the  lower  limit.  It  is  apparent 


that  the  output  distribution  of  the 
circuit  must  be  shifted  so  that  the 
average  output  will  fall  on  the  design 
center  value.  Simple  regression,  de¬ 
fined  as  the  relationship  between  a 
dependent  variable  and  one  independent 
variable,  was  used  to  determine  what 
part  or  parts  values  are  related  most 
directly  to  circuit  output. 

In  this  cirquit,  the  coupling  capacitor 
(.022^0  was  the  suspected  culprit. 
Verification  of  this  was  obtained  by 
taking  one  model  of  the  circuit  and 
measuring  the  frequency  as  a  function 
of  three  different  values  of  the  coupling 
capacitor.  Three  sets  of  data  were 
obtained  by  running  a  sample  of  47 
transistors  through  the  circuit  for  each 
value  of  the  capacitor.  All  circuit 
components  except  transistors  were 
held  at  fixed  values.  This  made  it 
possible  to  obtain  distributions  in 
which  output  frequency  variability  was 
due  to  transistors  alone  at  each  of 


Figure  8-11.  Circuit  Schematic  of  Troublesome  Multivibrator 
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three  capacitor  values.  Figure  8-13 
shows,  for  each  value  of  the  coupling 
capacitor,  the  frequencies  obtained. 
The  means  of  the  distributions  are 
connected  by  a  regression  line  from 
which  can  be  read  the  expected  fre¬ 
quency  for  any  value  of  cathode-coupling 
capacitance. 

Figure  8-13  indicates  that  the  design 
frequency  of  115  cycles  per  second 
would  most  often  be  obtained  if  the 
capacitance  were  .016  microfarads. 
The  statistical  95%  tolerance  limits 
on  multivibrator  outputs  were  cal¬ 


culated  and  drawn  on  the  figure.  These 
limits  show  that  frequencies  in  the 
range  of  104  to  126  cycles  will  be 
achieved'95%  of  the  time  if  the  coupling 
capacitor  is  changed  to  .016 
microfarads. 


This  example  illustrates  the  use  of 
simple  regression,  not  only  to  determine  that 
an  erroneous  capacitor  value  was  employed, 
but  also  to  give  a  solution  to  the  field 
problem  —  which  was  uncovered  through  de¬ 
tection  of  an  excessive  number  of  transistor 
removals. 


100  105  110  115  120  125  130 

OUTPUT  FREQUBMCY  IN  CPS 

Figure  8-12.  Distribution  of  Output  Frequency  of  Four  Multivibrator  Modules 
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The  design  engineer  is  dependent  upon 
the  feedback  of  part  performance  and  failure 
data  from  a  wide  range  of  applications  and 
use  environments  if  he  is  to  optimize  design 
reliability  and  avoid  the  pitfalls  which  be¬ 
fell  his  predecessors.  This  type  of  data  is 
made  available  to  the  designer  of  new  Navy 
systems  through  the  following: 

•  MIL-HDBK-217,  “Reliability  Stress 

Analysis  for  Electronic  Equipment." 
This  handbook ,  referenced  in  Chap¬ 
ter  1  and  Chapter  5,  provides  a 
source  of  parts  failure  rate  data  for 
standard  electronic  and  electro¬ 
mechanical  parts.  Catastrophic 
part  failure  rates  observed  over 
wide  ranges  of  electrical  and  therm¬ 
al  stresses  have  been  analyzed  and 
presented  in  a  form  which  permits 
determination  of  the  most  likely 
failure  rate  for  a  given  set  of 
stresses.  This  handbook  is  availa¬ 
ble  from  the  Government  Printing 
Office. 

•  Bureau  of  Naval  Weapons  Failure  Rate 

Data  (FAR  AD  A)  Program.  FARAD  A 
is  a  Navy-sponsored  effort  to  pro¬ 
vide  reliability  design  data  to  con¬ 
tractors  engaged  in  the  design,  de¬ 
velopment,  and  production  of 
systems  for  the  Navy.  Part  failure 
rates  are  obtained  from  the  various 
contractors  and  service  organiza¬ 
tions.  They  are  summarized, 
analyzed,  and  published  in  the  form 
of  a  part  “Failure  Rate  Data  Hand¬ 
book.”  MIL-HDBK-217,  described 
above,  is  one  of  the  prime  data 
sources  for  FARAD  A.  The  princi¬ 
pal  difference  between  M1L-HDBK- 
217  and  FARADA  is  that  the  latter 


integrates  many  individual  sets  of 
established  failure  rates  while 
MIL-HDBK-217  converts  failure 
data  into  failure  rates  versus  stress 
levels. 


•  Inter  Service  Data  Exchange  Program. 

1DEP  is  a  tri-service  program  for 
the  exchange  of  part  test  reports  to 
assist  system  designers  in  the  se¬ 
lection  and  application  of  reliable 
part  types.  The  test  data  exchanged 
includes,  but  is  not  limited  to,  that 
obtained  from: 

a.  Qualification  or  Certification 
Tests 

b.  Production  Acceptance  Tests 

c.  Diagnostic  or  Design  and  De¬ 
velopment  Tests 

d.  General  or  Comparative  Evalua¬ 
tion  Tests 

e.  Reliability,  Exaggerated  Stress, 
and  Life  Tests 

The  IDEP  exchange  program  does 
not  summarize  or  edit  test  reports; 
instead  the  three  distribution  cen¬ 
ters  (one  for  each  service)  act  as 
clearing  houses.  Contractor  test 
reports  are  forwarded  to  their  ap¬ 
propriate  service  distribution  cen¬ 
ter  (e.g.,  Navy  IDEP  Office,  NOL, 
Corona)  where  they  are  reproduced 
and  forwarded  to  other  participants 
in  the  program. 

•  Guided  Missile  Data  Exchange  Pro¬ 

gram  .  GMDEP  is  similar  in  purpose 
and  intent  to  the  IDEP  program, 
except  that  it  is  devoted  primarily 
to  the  exchange  of  data  generated 
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by  Navy  contractors  who  are  en-  Contractors  who  are  developing  Navy 

gaged  in  the  research,  development,  systems  and  who  are  not  presently  partici- 
and  production  of  guided  missiles.  pating  in  FARADA.,  1DEP.,  and  GMDEP 
In  addition  to  test  reports,  specifi-  should  be  encouraged  to  inquire  at  the  Naval 
cation  and  part  application  data.  Ordnance  Laboratory,  Corona,  California, 
sheets  are  also  exchanged.  for  information  on  how  to  join. 


8-22 


NAVWEPS  00-65-502  9-1-1  to  9-1-2 

CHAPTER  9 

DEVELOPMENT  TIME  AND  COST  ESTIMATION 


9-1  INTRODUCTION 


9-1-1.  Purpose 

The  project  engineer  is  ultimately 
confronted  with  the  task  of  cost  and  time 
estimation  with  respect  to  his  development 
program  — 

•  To  estimate  the  time  and  funds 
required  to  develop  the  proposed 
new  system,  as  a  basis  for  docu¬ 
menting  Sections  5  and  6  of  the 
Technical  Development  Plan(TDP); 

•  To  evaluate  the  realism  and  validity 
of  contractor  cost  and  time  esti¬ 
mates  submitted  in  response  to  bid 
requests; 

•  To  assess  the  feasibility  of  com¬ 
pleting  the  development  phase 
within  the  time  span  and  funds 
finally  allotted  to  the  program;  and 

•  To  estimate  the  effect  of  cost 
differentials  and  system  reliability; 
or,  conversely,  to  estimate  develop¬ 
ment  program  costs  for  specific 
levels  of  reliability. 

In  any  case,  the  project  engineer  must 
draw  on  past  experience  with  other  programs 
of  similar  intent  and  complexity,  to  formulate 
an  estimate  of  development  time  and  funding 
requirements  for  the  new  program.  The 
estimating  problem  is  made  difficult  by  many 
factors,  the  most  significant  of  which  is  the 
degree  to  which  the  new  design  concept  will 
depend  upon  state-of-art  advances  or 
“breakthroughs”  in  component  development 
and  design  techniques.  If  the  new  design 


is  relatively  free  of  these  dependencies,  a 
fairly  accurate  prediction  of  minimum  time 
and  cost  can  be  made.  On  the  other  hand, 
if  the  system  concept  employs  several 
unique  or  untried  design  approaches  or 
depends  upon  achieving  a  state-of-art 
breakthrough  in  the  development  of  a  critical 
component  or  part,  an  estimate  of  average 
cost  expectancy  derived  from  past  experi¬ 
ence  can  prevent  overoptimism  on  the  part 
of  the  project  engineer  in  planning  and 
budgeting  the  development  program. 

9-1-2.  Basis 

The  procedures  outlined  in  this 
section  represent  a  first  attempt  to  trans¬ 
late  and  quantify  the  collective  experience^-/ 
of  twenty-one  weapon  system  development 
programs  conducted  under  the  cognizance  of 
the  Bureau  of  Naval  Weapons  during  the  past 
ten  years.  While  the  procedures  set  forth 
below  are  straightforward,  the  input  data 
available  at  this  time  are  understandably 
limited  to  experience  on  predominantly  elec¬ 
tronic  systems.  The  fwne-estimating  proce¬ 
dures  embrace  the  period  between  initial 
contract  award  and  final  acceptance  of  the 
prototype  model.  The  cost-estimating  pro¬ 
cedures  apply  to  the  costs  incurred  by  the 
contractor  and  his  subcontractors  during  this 
time  period.  They  do  not  include  costs  of 
functions  performed  by  the  Bureau  and  its 
centers  in  project  management  and  technical 
direction. 

l/‘'Cost  and  Time  Factors  Relating  to  Reliability  in 
Development  Planning”,  Final  Report  dated 
1  October  1963  submitted  by  Bird  Engineering- 
Research  Associates,  Inc.,  under  BuWeps  Contract 
NOW-62-0990-C. 
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9-2  FUNDAMENTAL  COST-TIME  RELATIONSHIPS 


9-2-1.  General 

There  are  many  factors  which  influence 
time  and  cost  of  a  development  program  - 
the  prior  experience  of  the  contractor  on 
similar  systems;  the  degree  of  finality  and 
realism  with  which  mission  characteristics 
and  performance  requirements  are  specified 
at  the  outset  of  the  development  program;  the 
continuity  and  stability  of  scheduling  and 
funding;  the  complexity  and  conventionality 
of  the  design  concept;  and  the  relative  level 
of  reliability  to  be  achieved  in  develop¬ 
ment.  Among  these,  the  following  are  the 
principal  factors  which  determine  the  time 
and  cost  of  a  weapon  system  development 
program: 

(1)  Functional  complexity  of  the 
system  concept; 

(2)  Conventionality  of  the  proposed 
design  approach  -  i.e.,  “within 
state-of-art”; 

(3)  Relative  level  of  reliability  to  be 
achieved  with  respect  to  the 
average  value  observed  in  con¬ 
ventional  designs  of  this  complex¬ 
ity. 

9-2-2.  Cost  Determining  Factors 

Figure  9-1  presents  a  family  of 
minimum  cost  curves  relating  the  overall 
cost  of  a  system  development  program  to 
the  complexity  of  the  system  to  be  developed, 
the  degree  of  freedom  from  state-of-art 
problems,  and  the  level  of  achievable  reli¬ 
ability  actually  sought.  Assume  for  example, 
a  development  program  for  an  avionics 
system  of  100  AEG’s^  estimated  complex¬ 


ity,  employing  a  conventional  design 
approach.  Past  experience  indicates  that  a 
minimum  of  $460,000  (1963  dollars)  was 
required  to  produce  a  prototype  capable  of 
demonstrating  approximately  21  hours  MTBF, 
the  lowest  level  of  reliability  observed  on 
other  avionics  systems  of  this  complexity 
in  the  Fleet  today. ^  Where  a  150-hour 
MTBF  goal  (upper  boundary  of  the  MTBF 
curve  of  Figure  2-19)  was  achieved,  the 
minimum  development  cost  increased  to 
$1,150,000  —  nearly  a  3-to-l  increase  in 
minimum  funding  requirements  for  a  7-to-l 
gain  in  system  MTBF.  Note  that  this  exam¬ 
ple  has  assumed  a  “conventional”  design 
with  no  outstanding  state-of-art  problems  to 
overcome.  When  such  problems  have  exist¬ 
ed,  however,  development  costs  have  greatly 
exceeded  the  minimums  shown  in  the  chart  — 
ranging  in  the  100  AEG  example  up  to 
$6,400,000. 

Clearly,  then,  if  the  project  engineer 
is  to  estimate  the  costs  of  a  new  develop¬ 
ment  program  on  the  basis  of  past  experience 
on  predecessor  systems,  he  must  evaluate 
the  design  for  possible  state-of-art  problems 
and  adjust  his  minimum  estimates  to  reflect 
any  departure  from  convention.  A  cost  curve 
for  designs  dependent  on  state-of-art  ad¬ 
vancements  is  also  shown  in  Figure  9-1. 

The  value  of  the  dollar  continues  to 
change  from  year  to  year.  It  is  necessary 
for  long-term  estimating  purposes  to  pre¬ 
dict  its  valuation  for  each  fiscal  year’s 
budget  period.  For  an  approximation  of 
overall  costs,  it  is  permissible  to  take  the 
predicted  dollar  value  at  the  midpoint  in  the 
program  in  order  to  derive  a  correction 


2/^ee  Chapter  2  for  a  discussion  of  the  AEG  method 
of  system  complexity  measurement. 


3/See  Figure  2-19. 
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factor  for  current  value.  Figure  9-2  is  a  plot 
projecting  the  dollar  valuation  for  the 
period  1960  to  1970.i/ 

9-2*3.  Time  Determining  Factors 

Figure  9-3  presents  a  preliminary 
regression  model  derived  from  the  develop¬ 
ment  experience  of  the  twenty-one  system 
programs  in  the  study.  Development  time 


From  Proposed  Cosl-of-Research  Index  Report 
by  E.  A.  Johnson  and  H.  S'.  Milton  of  Operations 
Research  Office,  The  Johns  Hopkins  University, 
Bethesds,  Maryland,  September  1960.  Published 
in  December  1961  by  IRE  Transactions  on  Engi¬ 
neering  Management. 


appears  to  increase  approximately  with  the 
tenth  root  of  system  complexity,  for  a 
given  degree  of  design  conventionality. 
The  lower  line,  representing  the  straight¬ 
forward  conventional  design  approach, 
should  be  used  for  estimating  minimum 
development  time  required  for  a  new  pro¬ 
gram.  The  center  line  is  a  more  conserv¬ 
ative  average  time  estimator,  to  be  used 
when  state-of-art  problems  are  expected. 
The  upper  boundary  is  realistic  when  it  is 
known  that  the  system  concept  is  dependent 
upon  components  or  design  techniques  that 
are  themselves  still  in  the  development 
stage  -  and  consequently  are  easily  identi¬ 
fiable  as  potential  state-of-art  problems. 
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Figure  9*2.  Cost  Correction  Multiplier  for  Estimating  Future  Program  Costs 


9-4 


"^"EPs  00-65.50* 


£  W*! 

I 


l^max  “  1.537(24)  N*^®®  Maximum  (Beyond  Stote-of-Art) 


f0Vfl  -  24  W 108  Average 


■ 

35 


^  j  «  0.873(24)  N*^®®  Minimum  (Conventional  Design) 


COMPtExiTV  AEG'i 


I 


F'8°r*  9-3.  De  , 

°Pn*"'  Ti-. 


i00-«C 

rZZ24^ 

'oo  eLZ'z' 

realistic  if  apPears  tha f  24  at 

encountered.  sta^-o/-art  p^‘hsJa 


°nd  Siate-of~Art 


^ionship  bet 


develops 


*2J*  %  is  not  yet  s 

of-art  rei*  •  s  bidden  Jn  i*  SePamtely 

'  i  e.  aL  ,  """'W 

Vn“o^l  deTZlT"'  is  f«5 ,WeghaS  lhe 

compiexifv  f  (/br  «&e  narr.V  i  by  con- 

ie  g^nei^T/v  °  V6d)  **  1  r  ^  ievei  of 
^quii^nln/  aPP  lcable.  When  should 

abiHty  itse]fteCceeds  this  value*  It  iab,//ty 
Problems  an7  ‘’f*8  one  of  Ju*  tfc*n  reli - 
appiicabie, and  **•  o.w 


9-5 


9-3-1 


NAVWEPS  00-65-S02 
9-3  ESTIMATION  PROCEDURE 


9-3-1.  Conventionality  Assessment 


Procedures  for  assessing  the  con¬ 
ventionality  of  a  proposed  design  concept 
are  outlined  in  Chapter  2.  The  feasibility 
of  achieving  specified  performance  and 
reliability  objectives  is  evaluated  accord¬ 
ing  to  these  same  procedures.  Key  steps 
are  summarized  here: 


STEP  1 


Obtain  Reliability 
Requirements 


In  the  requirements  analysis  (Chapter 
2-2,  Step  6),  the  reliability  requirements 
were  defined  and  should  have  been  expanded 
to  the  subsystem  level.  The  subsystem 
level  is  selected  as  best  for  time  and  cost 
feasibility  estimation  and  evaluation  because 
it  generally  consists  of  a  major  piece  of 
equipment,  is  designed  to  perform  a  complete 
function,  and  will  certainly  be  accom¬ 
plished  by  one  prime  contractor. 


STEP  2 


Develop  the  Reliability 
Block  Diagram  to 
Subsystem  Level _ 


This  step,  illustrated  in  Figure  2-20 
of  Chapter  2,  will  have  been  taken  in  the 
reliability  feasibility  estimation  (Chapter 
2-3,  Step  1).  The  same  “model”  is  appli¬ 
cable  for  cost  estimation  purposes. 


STEP  3 


Estimate  the  Complexity  and 
Range  of  Feasible  Failure 
Rates  at  the  Subsystem  Level 


This  is  the  same  as  Step  3  of  Chapter 
2-3,  and  the  same  information  should  be 
brought  forward.  Complexity  is  again 
expressed  in  AEG’s. 

As  an  example,  assume  that  Block  4 
of  Figure  2~20  is  the  fire-control  radar  of  a 
weapon  control  system  to  be  developed  for 


airborne  use.  A  range  of  probable  complex¬ 
ity  is  estimated  at  between  250  to  500 
AEG’s.  From  the  complexity,  the  range  of 
feasible  MTBF  can  be  estimated,  as  illus¬ 
trated  in  Figure  2-21.  If  the  stated  require¬ 
ment  falls  within  this  range,  it  can  be 
considered  feasible  by  conventional  design. 
Assume  a  complexity  of  300  AEG’s  for 
this  example. 

The  feasible  failure  rates  for  this 
example,  at  the  subsystem  level,  are  shown 
in  Figure  9-4. 


STEP  4 


Compare  Feasible  Reliability 
Estimates  With  the  Require- 
ments  at  Subsystem  Level 


A  comparison  is  now  made  between  the 
expected  failure  rates  determined  in  Step  3, 
above,  and  the  allocated  failure  rate  as 
determined  in  Step  6  of  Chapter  2-3.  Figure 
9-5  illustrates  the  comparison  within 
System  4. 


Classify  Each  Subsystem 
as  to  State-of-Art _ 


The  project  engineer  must  next 
classify  each  subsystem  as  to  state-of-art. 
Figure  9-5  is  an  example  of  the  manner  in 
which  this  comparison  might  be  made. 

In  classifying  subsystems  as  to 
state-of-art,  consideration  is  given  to  the 
following: 

•  Are  performance  characteristics,  as 
determined  in  Step  5  of  Chapter  2-2, 
achievable  by  conventional  design? 

•  Is  the  stated  reliability  requirement 
achievable  by  conventional  design? 


STEP  5 
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Subsystem 


Failure  Rate  x  10'6 


Complexity 

Per  AEG 

40  Power  & 

340 

13,600 

500  Digital^/ 

180 

9,000 

120  Analog 

240 

28,800 

40  Power  & 

340 

13,600 

50  Analog 

180 

9,000 

Total  Block  4  Failure  Rate 

74,000 

Figure  9-4.  Calculation  of  Expected  Subsystem  and  System  Failure  Rates 


Subsystem 

Expected 
Failure  Rate 

Percent 
of  Total 

Allocated 
Failure  Rate 

Reliability 

Allocation 

State-of-Art 

a 

13,600 

18.38 

6,850 

.98 

Conventional 

b 

9,000 

12.17 

4,200 

.99 

Beyond 

c 

28,800 

38.90 

13,200 

.96 

Conventional 

d 

13,600 

18.38 

6,850 

.98 

Conventional 

e 

9,000 

12.17 

4,200 

.99 

Beyond 

Figure  9-5.  Allocation  and  Comparison  of  Failure  Rates 


Requirements  which  fall  outside  the 
shaded  region  of  Figure  2-22  pose 
problems  which  cannot  be  solved 
by  conventional  non-redundant 
methods. 

If  the  answer  to  each  of  these  ques¬ 
tions  is  not  a  firm  “Yes”,  accept  the  fact 
that  costs  will  greatly  exceed  those  which 
would  be  expected  for  development  of  con¬ 
ventional  equipment  of  equal  complexity, 


5/ln  a  system  employing  both  analog  and  digital 
AEG's,  divide  the  n amber  of  digital  AEG’s  by  ten 
and  treat  as  analog. 

6/ The  number  of  power  AEG’s  is  a  system  are 
mnltiplied  by  two  and  treated  as  analog. 


together  with  the  risk  that  performance  and/ 
or  reliability  will  fall  short  of  requirements. 

9-3-2.  Budget  Requirements  Estimation 

STEP  1  —  Calculate  the  Cost 

— “ — of  Each  Subsystem 

The  estimate  of  cost  is  calculated 
using  either  the  formulae  or  the  graph  of 
Figure  9-1.  The  AEG  count  is  used  in  the 
same  manner  as  in  estimating  reliability. 
The  AEG  count  is  in  terms  of  power  and 
analog  AEG's.  Ten  digital  -AEG's  are  the 
equivalent  of  one  analog  AEG.  Estimated 
costs  should  be  corrected  to  the  middle  of 
the  time  period  when  money  will  actually 
be  spent,  using  the  graph  of  Figure  9-2. 
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STEP  2 


Compare  the  Cost  of  Each 
Subsystem  with  Budget 
Allocations _ 


Continuing  with  the  example  used 
earlier,  Figure  9-6  compares  estimated  costs 
with  the  preliminary  budget  allocation,  as  a 
basis  for  developing  Section  6  of  the  TDP 


STEP  3 


Evaluate  the  Feasibility  of 
Developing  Each  Subsystem 
and  the  Complete  System 
Within  Budget  Limitations 


9-3-3.  Schedule  Requirements  Estimation 


Calculate  the  Development 
Time  for  Each  Subsystem 

The  estimate  of  time  is  calculated 
using  either  the  formulae  or  the  graph  of 
Figure  9-3.  The  estimates  are  picked  off 
of  the  curve  using  the  state-of-art  class¬ 
ification  and  the  complexity  of  each  sub¬ 
system.  If  there  is  some  doubt  of  state- 
of-art  aspects,  the  center  (average)  time 
curve  is  satisfactory  for  a  preliminary 
rough  estimate. 


STEP  1 


In  the  example,  the  project  engineer 
would  conclude  that  Subsystems  a,  c,  and  d 
can  be  developed  within  cost  limitations. 
Subsystem  e  will  probably  overrun,  but  this 
may  be  compensated  for  by  slight  underruns 
in  a,  c,  and  d.  Since  these  represent  min¬ 
imum  cost  estimates,  careful  management 
and  fiscal  control  will  be  required  to  hold 
them  within  the  bounds  of  the  financial  plan. 
Subsystem  b  cannot  be  successfully  devel¬ 
oped  without  providing  additional  funding. 
A  total  of  1716,000  additional  must  be  re¬ 
quested  and  included  in  Section  6  of  the 
TDP  if  a  subsequent  overrun  is  to  be 
avoided. 


In  development  programs  whose 
designs  are  beyond  the  state-of-art,  feasi¬ 
bility  studies  or  supporting  research  and 
development  (component  development)  are 
required.  If  such  is  the  case,  additional 
time  is  required.  The  amount  of  additional 
time  depends  upon  how  long  it  takes  to 
produce  the  information,  design,  or  material 
that  will  permit  the  start  of  design  of  the 
subsystem. 

Continuing  with  the  example,  analysis 
of  System  4,  development  times  are  tabulated 
as  shown  in  Figure  9-7.  In  addition  to  the 
subsystem  development  times,  a  feasibility 


Subsystem 

Complexity 

Analog 

Equiv. 

State-of-Art 

Estimated 
Minimum 
Cost,  1963 

Corrected 
Min.  Cost, 
Mid-1967 

Financial 

Plan 

a 

40  power 

40 

Conventional 

550,000 

633,000 

700,000 

b 

500  digital 

50 

Beyond 

1,300,000 

1,500,000 

800,000 

c 

120  analog 

120 

Conventional 

1,700,000 

1,950,000 

2,000,000 

d 

40  power 

40 

Conventional 

550,000 

633,000 

650,000 

e 

50  analog 

50 

Beyond 

1,300,000 

1,500,000 

1,350,000 

5,400,000 

6,216,000 

5,500,000 

Figure  9-6.  Comparison  of  Estimated  and  Allocated  Costs 
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study  of  Subsystem  b  must  be  performed 
before  its  development  can  be  started,  and 
special  research  is  needed  to  develop  a 
component  for  Subsystem  e.  In  each  case 
12  months  are  estimated  as  required  prior  to 
the  start  of  design. 

Plot  a  Network  of  the  Events 
Showing  Relationships  and 
Dependencies;  Find  the 
Critical  Path _ 


If  all  the  subsystems  could  be 
developed  independently,  it  would  be  a 
simple  matter  to  take  the  longest  total 
development  time  in  Figure  9-7  as  being 
that  of  the  system.  Frequently  a  subsystem 
or  component  is  dependent  upon  information 
which  will  be  available  only  after  the 
design  of  another  is  complete.  The  inte¬ 
gration  of  a  system  takes  time  after  all  of 
its  components  are  complete. 


A  simple  PERT  time  network  at 
system  level  showing  the  dependencies 
among  the  five  subsystems  which  might  be 
encountered  in  the  development  program  is 
the  best  way  to  estimate  the  total  system 
development  time.  Such  a  network  may 
already  have  been  constructed  at  an  earlier 
planning  stage.  If  so,  a  check  of  develop¬ 
ment  times  is  facilitated. 


Figure  9-8  is  a  simple  network 
showing  the  development  of  System  1  using 
the  estimates  found  and  tabulated  in 
f  igure  9-7.  The  critical  path  is  the  se¬ 
quence  of  events  and  activities  which  adds 
up  to  the  longest  time,  in  this  case  12,  48, 
30,  and  4  months,  or  a  total  of  94  months. 
This  estimate  of  minimum  development  time 
is  that  expected  for  a  normal  development, 
without  overtime  or  special  priority. 


Subsystem 

Complex¬ 

ity 

State-of-Art 

Estimated 

Development 

Time 

Studies 

Special 

R&D 

Total 

Development 

Time 

Action 

a 

40 

Conventional 

30  months 

No 

30  months 

★ 

b 

50 

Beyond 

56  months 
(Minimum) 

Feas.  Study 
12  months 

68  months 
(Minimum) 

** 

c 

120 

Conventional 

35  months 

No 

35  months 

** 

d 

40 

Conventional 

30  months 

No 

30  months 

* 

e 

50 

Beyond 

56  months 
(Minimum) 

Component 

Develop. 

12  months 

68  months 
(Minimum) 

* *  ** *** 

300 

*Defer  development 

**Start  feasibility  &  development 

***Start  component  development  and  special  R&D 


Figure  9-7.  Estimated  Subsystem  Development  Time 
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Evaluate  the  Feasibility  of 
-  Meeting  the  Allocated  Time 
Schedule _ 

A  comparison  of  the  estimated  time 
required  for  development  with  the  lead  time 
allocated  by  the  operational  force  provides 
a  measure  of  the  feasibility  of  completing 
the  development  within  the  scheduled  time 
limit.  When  allocated  time  is  less  than 
estimated  required  time,  the  probability  of 
meeting  the  schedule  is  lessened;  the 
greater  the  differential,  the  lower  the  prob¬ 
ability.  The  PERT/time  estimating  and 
analysis  procedure  gives  an  actual  measure 
of  this  probability. 

Such  an  evaluation  is  made  under  the 
assumption  that  the  development  program 
will  be  normal  and  can  be  completed  at  the 
most  economical  rate.  Although  development 
progress  can  be  accelerated  to  a  minor 
extent,  costs  will  be  considerably  increased 


9-3-2 

thereby.  A  crash  program  with  sudden  accel¬ 
eration  will  not  improve  progress,  even  at 
several  times  the  normal  cost. 

In  the  example,  assume  that  System  4 
is  approved  for  development  and  that  defini¬ 
tive  planning  has  been  started.  Thus,  the 
TDP  is  under  preparation  for  initial  sub¬ 
mission.  If  System  4  is  to  become  opera¬ 
tional  with  the  Fleet  on  schedule,  production 
must  begin  in  March  1968.  The  earliest  date 
a  contract  can  be  let  is  March  1964,  permit¬ 
ting  an  elapsed  time  for  development  of  48 
months.  The  schedule  is  infeasible,  and  a 
more  realistic  date  to  commence  production 
would  be  January  1970. 

Since  the  time  allocated  for  develop¬ 
ment  is  grossly  short  of  that  estimated,  the 
infeasible  schedule  must  be  reconsidered 
prior  to  completion  of  Section  5  of  the  TDP. 
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NEW  CONSIDERATIONS 
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10-1  INTRODUCTION 


The  familiar  chart  of  MIL-STD-756A 
was  presented  in  Figures  1-12  and  1-13, 
with  several  of  today’s  Naval  weapon  sys¬ 
tems  superimposed  for  a  graphical  portrayal 
of  “where  we  are  today,  on  the  basis  of 
yesterday’s  designs’’.  On  the  average,  we 
have  been  buying  equipment  that  ultimately 
demonstrated  about  one-seventh  the  MTBF 
that  had  been’  specified  as  a  “requirement”, 
because  the  quality  assurance  provisions  of 
specifications  have  lacked  the  necessary 
acceptance-test  “teeth"  to  assure  product 
compliance  with  specified  requirements. 
The  most  serious  result  of  this  absence 
of  a  statistically  meaningful  reliability 
acceptance  test  is  that  it  has  led  develop¬ 
ment  contractors  to  bid  on  the  relatively 
simple  task  of  assembling  conventional 
building  blocks  into  a  particular  configu¬ 
ration  to  satisfy  ’performance  requirements, 
with  negligible  engineering  emphasis  on  the 
reliability  aspects  of  design. 

Absence  of  a  firm  requirement  reduces 
the  prospect  of  generating  enough  devel¬ 
opment  test  data  to  adequately  determine  the 
nature  of  the  tolerance  problems  that  are 
being  designed  into  the  system.  There  is 
no  motive  for  effectively  analyzing  the  data 
that  are  generated.  Frequently,  those 


analyses  that  are  made  do  not  get  back  to 
the  designer  in  time.  And  when  they  do, 
there  is  seldom  any  follow-on  evaluation  of 
resulting  design  changes  to  assess  the  net 
gain  or  loss  in  reliability  at  the  equipment 
level.  Thus,  the  extremely  vital  feedback 
loop  is  not  the  dynamic  guiding  force  that 
it  must  be  if  reliability  is  to  be  a  “designed- 
in”  system  parameter. 

Further,  the  absence  of  a  firm 
reliability  requirement  leads  to  “passive” 
monitoring.  It  is  not  enough  to  passively 
monitor  a  development  program  —  to  maintain 
the  “finger-on-pulse”  awareness  of  its  pro¬ 
gress  and  problems.  The  project  engineer 
must  make  “controlling”  decisions  that  can 
enhance  or  degrade  the  prospects  for  reli¬ 
ability  in  his  product.  This  active  control 
function  must  depend  upon  close  and 
informed  monitoring  based  on  the  review  of 
progress  reports,  failure  analyses,  prediction 
studies,  and  contractor  reliability  program 
activities.  He  cannot  rely  on  PERT  alone 
to  force  his  decision  —  to  do  so  can  result 
in  an  innocent  trade  of  reliability  for 
“slack”  for  the  sake  of  a  target  date  that 
may  be  of  secondary  importance.  Instead, 
he  must  require  that  PERT  events  specif¬ 
ically  include  reliability  as  one  of  the 
essential  system  characteristics. 
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In  short,  we  seem  to  be  up  against  a 
"reliability  barrier"  that  defies  penetra¬ 
tion  by  the  conventional  standards  of  design. 
We  can  now  forecast,  within  reasonably 
accurate  bounds,  the  levels  of  reliability 
that  can  be  achieved  by  a  conventional 
design  approach.  These  levels  are  not 
good  enough. 

What  can  the  project  engineer  do  to 
break  the  longstanding  reliability  barrier, 


to  assure  success  in  future  system  develop¬ 
ment  programs?  This  section  discusses 
some  of  the  management  and  technical  con¬ 
siderations  which,  if  applied  early  enough 
in  the  planning  stage  of  system  develop¬ 
ment,  can  help  break  the  so-called  reliability 
barrier  of  conventional  design.  Cautionary 
notes  are  also  sounded  about  the  dangers 
of  relying  solely  on  the  "wonders"  of  some 
of  the  newer  concepts  of  system  design  and 
management. 


10-2  DESIGN  CONSIDERATIONS 


10-2-1  General 

At  the  outset  of  development  program 
planning,  the  project  engineer  should  have 
the  practical  feasibility  of  the  stated  reli¬ 
ability  requirement  evaluated,  to  determine 
where  the  requirement  falls  on  the  MTBF/ 
complexity  chart.  Depending  upon  where  the 
requirement  falls,  he  should  contemplate 
soliciting  several  alternate  design  proposals, 
to  verify  that  his  design  requirement  is  fully 
understood  by  prospective  designers  in 
order  to  assure  at  the  outset  that  his  require¬ 
ment  will  be  satisfactorily  demonstrated  at 
the  conclusion  of  the  development  program. 
If  the  requirement  falls  in  the  shaded  area 
of  the  chart,  he  need  have  little  worry, 
because  conventional  design  has  usually 
achieved  this  level  without  a  formal  reli¬ 
ability  assurance  and  test  program.  If  the 
requirement  falls  above  the  shaded  area, 
there  are  several  possible  design  choices 
to  be  made  by  the  project  engineer  or  to  be 
suggested  by  him  to  prospective  bidders 
as  acceptable  approaches. 


The  following  alternate  design 
approaches  are  keyed  to  the  degree  of 
reliability  improvement  required  over  con¬ 
ventional  levels.  The  tradeoffs  that  will 
likely  be  required  are  discussed,  as  are 
specific  applications  in  which  one  approach 
is  more  applicable  than  another. 


10-2-2,  Conventional  Design 

Considerations: 

When  the  reliability  requirement  falls 
within  the  shaded  area  of  the  chart  (Figures 
1-12  and  1-13),  it  should  be  feasible  to 
achieve  and  demonstrate  the  reliability 
requirement  usingconventional  non-redundant 
design  with  conventional  parts,  if  the  fol¬ 
lowing  factors  are  given  primary  consid¬ 
eration: 

•  The  initial  choice  of  parts  for  the 
design  should  be  based  on  certified 
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life  test  data,  to  assure  high  inher¬ 
ent  part  reliability  without 
excessive  (and  duplicative)  parts 
testing.  When  such  data  are  not 
available  for  a  particular  part  type, 
a  parts  test  program  may  be  justi¬ 
fied  to  verify  vendor’s  “claimed” 
failure  rates  in  the  particular 
application. 

•  The  choice  of  circuits  for  the 
design  should  be  made  from  those 
of  proven  stability  and  reliability, 
supported  by  documented  contractor 
experience. 

•  Parts  should  be  derated  for  minimum 
failure  rate  consistent  with  circuit 
performance  requirements.  Derating 
should  in  general  be  accomplished 
in  accordance  with  the  procedures 
and  factors  presented  in  MIL- 
HDBK-217. 

•  Circuits  involving  semiconductors 
and  diodes  should  be  protected 
against  transient  voltage  spikes, 
decoupled  from  common  power 
sources,  isolated  from  adjacent 
module  interactions,  and  “buffered” 
in  series  configurations,  to  mini¬ 
mize  failures  due  to  interactions. 

•  Analog  circuits  should  be  stabilized 
against  the  variability  of  critical 
parts  characteristics  through  tem¬ 
perature  compensation  and  feed¬ 
back  stabilization. 


Possible  Tradeoffs: 

The  application  of  derating  to  con¬ 
ventional  design  can  be  expected  to  increase 
either  the  number  or  the  physical  size  of 


active  elements  required  for  load-sharing  in 
power  circuits.  Feedback  stabilization  of 
analog  circuits  can  be  expected  to  increase 
the  number  of  series  active  elements  to 
achieve  the  required  level  of  performance. 
Thus,  consideration  should  be  given  to  both 
parallel  and  series  redundancy  at  critical 
points  in  the  design.  The  project  engineer 
must  be  prepared  to  negotiate  a  trade  of 
weight  and  space,  and  in  some  instances 
power,  for  the  improved  reliability  promised 
by  the  proposed  design. 


10-2-3.  Micro-Electronics 
Considerations: 

The  micro-electronics  program  is  off 
to  a  good  start  and  is  being  properly 
evaluated  on  a  continuing  basis  as  develop¬ 
ment  progresses,  making  it  possible  to  draw 
on  current  test  data  for  a  prediction  of  reli¬ 
ability  feasibility  of  equipment  designs 
using  the  micro-module  as  the  basic  building 
block.  A  plot  of  micro-AEG  failure  rate  as  a 
function  of  temperature  is  shown  in  Figure 
10- 1,  based  on  two  sources  of  test  data.-L 
Each  of  the  AEG’s  plotted  consists  of  one 
transistor,  one  resistor,  and  one  capacitor 
in  a  digital  (switching)  function.  Test  data 
from  another  source?/  indicate  perhaps  a 
3-to-l  ratio  between  analog  and  digital  AEG 
failure  rates.  On  this  basis,  the  figure  can 
be  adapted  to  analog  AEG  derating  by  mul¬ 
tiplying  the  ordinate  scale  by  three. 


1/  Tex  as  Instruments  Report,  First  Quarter  1962; 
and  Litton  interim  Report  dated  20  November  1962, 
corroborating  the  T.I.  test  results. 

U  RCA  17th  Quarterly  Report,  July  1962. 
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FAILURE  RATE  X  10* /HOUR 

PART  AMBIENT  TEMPERATURE  °C 


Figure  10-1.  Derating  Curves  for  Micro-Module  and  Conventional  AEG’s  (Digital) 
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Although  Figure  10-1  Can  be  con¬ 
sidered  only  as  an  “interim”  plot,  on  the 
basis  of  very  limited  data  early  in  the  pro¬ 
gram  there  is  evidence  that  the  micro-AEG 
can  achieve  an  order  of  magnitude  (10-to-l) 
improvement  in  catastrophic  failure  rates 
over  conventional  transistor  AEG’s.  As  the 
micro-AEG  program  advances,  it  is  expected 
that  temperature/stress  derating  curves  will 
be  developed  comparable  to  those  that  can 
now  be  developed  from  MIL-HDBK-217  for 
transistor  AEG’s.  Further,  as  the  life  test 
program  broadens  in  scope,  various  analog 
AEG  reliability  characteristics  should  be¬ 
come  available  for  use  in  equipment  planning 
and  design.  It  will  then  be  possible  for  the 
project  engineer  to  precisely  specify  those 
applications  within  his  equipment  in  which 
micro-electronics  (or  equivalent)  will  be 
required. 

The  fact  that  the  micro-AEG  may 
exhibit  a  great  reduction  of  catastrophic 
failure  rate  below  that  of  its  transistor-AEG 
counterpart  is  only  one  of  the  attractive 
features  of  this  new  concept  in  electronic 
building  blocks.  Othef  equally  important 
features  include  a  10-to-l  reduction  in  space 
and  weight  per  circuit  function  and  a  com¬ 
parable  reduction  in  power  requirements. 
These  latter  features  make  the  micro-AEG  a 
natural  candidate  for  multiple  redundancy  in 
future  designs. 

Possible  Tradeoffs: 

Problems  in  micro-AEG’s  can  and 
must  be  anticipated,  however.  They  are 
constructed  of  the  same  basic  materials 
used  in  present  semiconductor  devices. 
The  project  engineer  should  expect  the  same 
characteristic  variability,  instability,  and 
deterioration  problems  in  micro-AEG’s  as 
now  are  experienced  in  transistor  AEG’s. 
He  must  therefore  contemplate  the  need  for 
isolation,  decoupling,  transient  protection, 


stabilization,  and  derating,  in  order  to  fully 
exploit  the  inherent  reliability  character¬ 
istics  of  the  new  AEG.  The  extent  to  which 
these  considerations  will  apply  has  not  yet 
been  full  assessed.  For  planning  purposes, 
it  must  be  anticipated  that  from  15  to  30  of 
present-day  circuit  functions  will  not  be 
replaceable  by  micro-AEG’s  —  these  are  the 
power  generation  and  conversion  functions 
and  other  special  functions  that  must  still 
depend  on  the  use  of  conventional  parts. 


10-2-4,  Redundancy 

Considerations: 

Whether  the  basic  building  block  is 
the  conventional  transistor  AEG  or  the 
prospective  micro-AEG,  there  will  arise 
instances  in  which  the  only  solution  to  a 
circuit  reliability  problem  is  the  application 
of  redundancy.  Some  of  these  instances  were 
pointed  out  above  —  when  power  devices 
are  derated  and  it  becomes  necessary  to 
provide  load-sharing  (parallel)  redundancy  or 
stabilization  feedback  (series)  redundancy. 
In  other  cases,  certain  critical  circuit 
functions  whose  failure  rates  still  remain 
relatively  too  high  (even  with  derating)  must 
be  protected  with  redundancy.  Thus,  to 
achieve  a  50-to-l  improvement  in  reliability 
above  conventional  design,  it  is  practically 
certain  that  redundancy  in  one  form  or 
another  will  be  required. 

Redundancy  can  be  divided  into  two 
general  classes:^/  operative  and  standby. 
Operative  redundancy  is  required  when 
manual  switching  of  standby  units  is  out 
of  the  question.  Automatic  switching 
requires  the  added  complexity  of  sense/ 
switch  devices  to  detect  failure  of  one 
element  and  switch  to  the  standby.  On  the 


2/  Refer  to  Appendix  4  for  a  detailed  discussion  of 
redundancy  in  design. 
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other  hand,  in  the  operative  case,  all  redun¬ 
dant  elements  continually  draw  power, 
thereby  increasing  load  demands  on  the 
power  supply  which  instead  should  be 
further  derated. 

The  design  engineer  must  assess  the 
proposed  design  for  the  most  advantageous 
application  of  redundancy,  in  order  first  to 
determine  the  points  in  the  series  chain  at 
which  redundancy  is  required  and  then  to 
evaluate  the  level  of  complexity  at  which  an 
optimum  yield  in  reliability  is  assured. 

EXAMPLE:  A  critical  module  is  the 
“weak  link”  in  a  proposed  equipment 
design.  Predicted  reliability  of  the 
module  is  .9  for  the  period  of  time  of 
interest;  yet  a  reliability  of  .99  is 


required.  The  designer  considers 
two  alternatives: 

(1)  Redundant  Modules: 

Figure  10-2  shows  two  modules 
in  parallel,  each  with  reliability, 
R  =  .9.  Reliability  of  the  pair  is 
R  =.  .99. 

(2)  Redundant  Parts: 

The  module  is  exploded  into  its 
parts  configuration,  as  shown  in 
Figure  10-3.  All  blocks  except 
No.  5  have  a  reliability  of  .9999. 
Block  No.  5  has  a  reliability  of 
slightly  higher  than  .9  (actually 
.901).  Block  No.  5  can  be  made 
redundant  to  produce  the  desired 
module  reliability  of  .99. 


Figure  10-2.  Redundancy  at  Module  Level 


Figure  10-3.  Reliability  at  Part  Level  Within  Module 
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The  differences  in  the  two  alternatives 
in  this  example  are: 

(1)  This  design  requires  twice  the 
weight,  space,  and  power  con¬ 
sumption,  but  is  easier  to  test  at 
preflight  checkout  to  verify  its 
operational  status;  cost  is  approx¬ 
imately  twice  the  cost  of  a  single 
module. 

(2)  This  design  requires  only  a  5^ 
increase  in  weight,  space,  and 
power  consumption,  but  requires 
additional  test-point  provisions 
for  preflight  determination  of 
operational  status. 

Possible  Tradeoffs: 

Space,  weight,  and  power  must  be 
traded  for  reliability  with  redundancy.  In 
addition,  availability  must  be  traded,  to  the 
extent  that  additional  preflight  test  time  is 
required  to  verify  that  all  elements  in  a 
redundant  configuration  are  operational  at 
the  start  of  a  mission  —  an  essential  con¬ 
dition  if  the  reliability  advantages  of  redun¬ 
dancy  are  to  be  realized. 


Some  of  the  principal  advantages  of 
digital  switching  logic  over  analog  servo 
loops  are  the  relative  simplicity  of  design, 
permitting  a  higher  degree  of  standardization 
among  modules  and  circuit  cards;  the  rela¬ 
tive  freedom  of  digital  circuits  from  drift 
and  tolerance  problems;  and  the  ease  with 
which  redundancy  can  be  applied. 


10-2-6.  Redundancy-With-Repoir 
Considerations: 

If  the  proposed  new  system  is  to  be 
accessible  to  maintenance  during  the  mis¬ 
sion  cycle  (shipboard  and  shore-based 
systems),  it  may  be  more  desirable  to  accept 
conventional  design  reliability  and  consider 
an  improved  “availability”  design  concept. 
Consideration  should  then  be  given  to 
redninAancy-with-repair  techniques,  which 
provide  means  for  the  detection,  isolation, 
and  replacement  of  redundant  element  fail¬ 
ures  without  producing  system  failure. 
These  techniques  are  discussed  in  more 
detail  in  Appendix  4. 


10-2-5.  Digital/Analog  Hybrids 
Considerations: 

Many  analog  functions  can  be  per¬ 
formed  with  digital  circuits  by  appropriate 
analog-to-digital  conversion  at  the  equipment 
input  and  a  corresponding  digital-to-analog 
conversion  at  the  equipment  output.  Al¬ 
though  a  reliability  gain  of  about  10-to-l  is 
reasonable  (digital  AEG  over  analog  AEG), 
requires  several  times  more 
to  perform  the  analog  function. 
The  net  gain  to  be  expected  is  further 
reduced  by  the  difficulty  of  achieving 
reliable  D/A  and  A/D  conversion. 


it  generally 
digital  AEG  s 


Possible  Tradeoffs: 

The  redundancy-with-repair  concept 
depends  upon  an  effective  monitoring 
system  to  detect  and  localize  the  loss  of 
redundant  elements.  Standby  elements 
must  then  be  switched  in  (either  automat¬ 
ically  or  manually);  or,  in  the  operative 
case,  the  failed  unit  must  be  switched  out 
and  a  replacement  made  before  the  remaining 
element  of  the  redundant  pair  fails,  producing 
a  system  failure.  These  monitoring  systems 
can  become  very  complex  —  to  the  extent 
that  the  practical  advantages  of  the  with- 
repair  concept  is  lost.  To  avoid  this,  ^ 
necessary  to  specify  reliability  requ 
ments  for  the  monitoring  function  itself. 
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10-3-1.  General 


Following  the  procedures  of  Chapter  2, 
the  project  engineer  must  establish  a  reli¬ 
ability  requirement  for  the  product  he  is  to 
develop,  define  the  requirement  in  clear 
terms  in  the  design  specification,  and  ref¬ 
erence  the  specification  in  both  the  RFP  and 
the  contract  statement  of  work. 


Often  the  requirement  has  not  been 
defined  in  the  implementing  TDP  or  it  cannot 
be  derived  from  the  system  or  “airframe” 
project  office  because  certain  conditions 
will  not  become  known  until  later.  It  is  then 
necessary  to  establish  requirements  on  the 
basis  of  past  conditions  and  requirements. 
In  this  case,  the  equipment  specification 
becomes  a  design  guidance  document  for  the 
larger  system. 

Once  the  level  of  tactical  reliability 
is  established,  there  are  certain  factors  to 
consider  in  the  definition  of  reliability 
program  plans  which  will  assure  with  con¬ 
fidence  that  the  stated  requirement  will  be 
met,  or,  conversely,  will  reveal  far  in  ad¬ 
vance  of  prototype  acceptance  testing  that 
the  requirement  cannot  be  met  with  the 
proposed  design  approach. 

The  following  new  considerations  are 
outlined,  for  planning  the  development  of 
Naval  weapon  systems  in  the  future. 


10-3-2. Application  of  a 

“Margin  of  Reliability  Safety” 

Design  margins  are  applied  to  other 
system  design  parameters  as  generally 
accepted  good  engineering  practices  — 
where  the  “strength”  distribution  of  the 
design  is  kept  at  a  safe  distance  from  the 
distribution  of  anticipated  stresses.  Con¬ 
sideration  should  be  given  to  incorporating 
a  margin  of  reliability  safety  in  the  specified 
requirement,  to  account  for  errors  in  pre¬ 
diction,  measurement,  and  test  conditions. 

It  is  important  at  the  outset  to  insure 
that  specified  reliability  requirements  remain 
consistent  from  one  phase  to  the  next  in  the 
equipment  life  cycle  —  to  make  clear  what 
is  meant  by  “required  MTBF”  or  “required 
reliability”.  A  good  guide  to  follow  is 
based  on  a  complete  definition  of  the  tac¬ 
tical  requirement,  which  then  sets  the  basis 
for  all  subsequent  requirements.  Figure  10-4 
illustrates  how  the  tactical  requirement 
should  be  expressed  and  interpreted. 

The  interpretations  made  in  the 
example  used  in  the  figure  are  always  on  the 
conservative  side  —  to  provide  a  margin  of 
reliability  safety,  just  as  we  provide  safety 
margins  in  all  other  design  procedures.  By 
this  procedure,  the  project  engineer  will 
occasionally  observe  more  equipment  reli¬ 
ability  than  he  actually  asked  for  —  a  pre¬ 
dicament  that  in  no  way  reflects  discredit 
on  his  engineering  management  capability! 
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Figure  10-4.  Safety  Margins  in  Reliability  Definition 


Values  of  Kj  depend  upon  the  realism  ol  the  test 
environment.  Kj  =  l  when  test  conditions  are 
approximately  equivalent  to  anticipated  use 
conditions. 
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10-3-3  Reliability  Monitoring  by  PERT 

Management  monitoring  of  system 
reliability  status  and  reliability  program 
operations  can  and  should  be  accomplished 
coincidentally  with  PERT  time  and  cost 
monitoring,  for  obviously  there  is  little 
value  in  monitoring  the  production  of  an 
'‘unknown”.  Erratic  management  decisions 
are  frequently  forced  by  the  pressure  of  a 
PERT  schedule  slippage,  in  complete 
ignorance  of  the  reliability  consequences  of 
the  decision.  The  insensitivity  of  most 
PERT  monitoring  systems  to  the  reliability 
aspects  of  development  is  attributable  to 
the  absence  of  adequate  reliability  require¬ 
ments  documentation  in  the  PERT  network. 

Project  management  should  specify 
requirements  for  PERT  reliability  mon¬ 
itoring  in  the  TDP,  the  RFP,  and  subsequent 
contract  documentation  pertaining  to  the 
proposed  new  development  program.  The 
contractor’s  proposed  schedule  of  PERT 
activities  and  events  (milestones)  should 
be  reviewed  to  determine  that  the  following 
monitoring  requirements  are  satisfied: 


•  Reliability  activities  are  either 

integrated  into  the  PERT/time  net¬ 
work,  or  are  shown  in  a  "reliability 
program  network”  as  an  overlay  to 
the  basic  PERT/time  network. 

•  Reliability  milestones  are  quan¬ 
titatively  documented  as  PERT 

event  requirements,  to  clearly 
define  event  success/failure  cri¬ 
teria. 

•  PERT  reporting  format  and  pro¬ 
cedures  have  provisions  for  re¬ 
porting  reliability  growth  status 
with  respect  to  goals,  and  problem 
status  with  respect  to  schedule. 


•  PERT  input  data  requirements 
include  contractor  estimates  of 
reliability /time  and  reliability  /cost 
tradeoffs  to  provide  management 
with  the  necessary  "consequence” 
information  for  decision  making. 


10-3-4.Raliability  as  a  Contract  Incentive 

As  outlined  in  Chapter  7,  two  values 
of  reliability  should  be  specified:  one  for 
design  guidance;  the  other  for  acceptance 
testing.  Consideration  should  be  given  to 
the  award  of  incentive  type  contracts  which 
provide  that  the  government  pays  no  fee  for 
anything  less  than  the  "minimum  accept¬ 
able”,  but  pays  fee  according  to  a  sliding 
scale  for.  demonstration  of  reliability  in 
excess  of  minimum  requirements.  This 
furnishes  incentive  for  the  contractor  not 
only  to  keep  his  reliability  techniques 
"sharp”  but  to  develop  and  apply  new 
improved  techniques  as  a  matter  of  “good 
business”  policy.  Two  major  requirements 
must  be  satisfied,  however,  to  insure  that 
an  incentive  contract  is  both  equitable  and 
workable: 


•  Minimum  acceptable  requirements 
must  be  realistically  compatible 
with  levels  achievable  by  good 
(current)  state-of-art  techniques; 

•  Decision  criteria  for  determination 
of  incentive  fee  eligibility  must 
be  clearly  defined  by  test  para¬ 
meters  that  include  a  and  /3  errors 
that  are  mutually  understood  and 
agreed  upon. 
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APPENDIX  1.  DEFINITIONS  OF  TERMS  AND 
SYMBOLS  USED  IN  THE  HANDBOOK 


The  more  important  terms  and  symbols 
used  in  the  handbook  are  presented  alpha¬ 
betically  in  this  section  of  the  appendix. 
Wherever  possible  the  definitions  are  drawn 
directly  from  MIL  Standard  721,  IRE  and 
ASQC  Standards,  MIL  Handbook  217,  and 
other  sources.  Some  liberties  have  been 


taken,  however,  to  simplify  and  clarify  cer¬ 
tain  of  these  definitions  for  the  benefit  of 
the  handbook  user.  A  more  comprehensive 
glossary  of  reliability  and  quality  control 
definitions  can  be  found  in  the  IRE-ASQC 
Reliability  Training  Text.1^ 


1.1  LEGEND  OF  REFERENCED  SYMBOLS 


a 

(Alpha)  Producer’s  Risk 

MTBF 

Mean-Time -Between -Failures 

A 

Availability 

MTF 

Mean-Time-To-Failure 

A„ 

Acceptance  Number 

MTR 

Mean-Time-To-Repair  or  Restore 

AEG 

Active  Element  Group 

(Mu)  Repair  Rate;  Mean  of  Normal 

AQL 

ASN 

Acceptable  Quality  Level 

Average  Sample  Number 
(Beta)  Consumer’s  Risk 

N 

Distribution;  Average  Life 

Number  of  AEG's 

/8 

n 

Sample  Size 

B 

Base  Failure  Rate 

OC 

Operating  Characteristic  (Curve) 

CEP 

Circular  Error  Probability 

n 

(Pi)  Product  of  a  Series 

D 

Dependability 

P 

Performance  Capability 

E 

Effectiveness 

P 

Probability 

C 

Failure 

P 

Probability  of  success  ofan  element 

f.r. 

Failure  Rate  (see  also  A) 

P 

Actual  or  true  proportion  defective 

G 

2; 

Acceleration  Level 

Null  Hypothesis 

Alternate  Hypothesis 

Po 

of  a  quantity  of  items  consti¬ 
tuting  a  “lot”  or  "test  group”. 
Nominal  desired  or  specified  value 

K 

k. 

A 

L 

Tolerance  Factor 

Use  Factor 

(Lambda)  Failure  Rate 

Longevity 

Pi 

of  proportion  defective  associ¬ 
ated  with  the  producer's  risk  (a) 
of  a  test  plan. 

Maximum  acceptable  value  of  pro¬ 

Ln 

LTPD 

M 

Natural  Logarithm  =  Loge 

Lot  Tolerance  Percent  Defective 
Maintainability 

P. 

portion  defective  accepted  by  a 
test  plan  with  consumer’s  risk(/3) 
Probability  of  Acceptance 

Mc 

Corrective  Maintenance 

P. 

Probability  of  Survival  or  Success 

MC 

Military  Characteristic 

P, 

Probability  of  Repair  (Repairability) 

MCF 

Mean  Cycles  to  Failure 

Pk 

Kill  Probability 

Mp 

Preventive  Maintenance 

Bibliography  item  13. 
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Q  Failure  Probability  (Q  =  1  -  P) 

q  Probability  of  Element  Failure 

QA  Quality  Assurance 

QC  Quality  Control 

QPL  Qualified  Products  List 

R  Operational  Reliability  (R  =  Rj*Ru) 

R  Unreliability  (R  =  1  -  R) 

Rj  Inherent  Reliability 

Ro  Nominal  or  desired  level  of  reliabil¬ 

ity  stated  as  a  requirement. 
(Either  6q  or  p0,  as  applicable, 
is  calculated  from  Ro  for  the 
design  of  an  acceptance  test.) 

Rj  Minimum  acceptable  reliability 

stated  as  a  requirement.  (Either 
0\  or  pj,  as  applicable,  is  calcu¬ 
lated  from  Rj  for  the  design  of 
an  acceptance  test.) 


R(t)  Reliability  as  a  function  of  time 

r  Number  of  failures 

rft  The  number  of  failures  at  which  an 

acceptance  test  is  truncated 
a  (Sigma)  Standard  Deviation 

2  (Sigma)  Sum  of  a  Series 

S  Stress 

SOR  Specific  Operational  Requirement 

Q  (Theta)  Mean  Life,  MTBF 

Q  (Theta  Caret)  Estimated  Mean  Life 

TDP  Technical  Development  Plan 

t  Time 

ta  Administrative  Downtime 

l  Mission  Time 

t  Repair  Time 

lJ  Unreliability 

Jf  Mean  or  Average  Value 


1.2  DEFINITIONS  OF  TERMS 


Accelerated  Test  Conditions  -  Test  condi¬ 
tions  that  are  made  more  severe  than  recom¬ 
mended  use  conditions,  in  order  to  “accel¬ 
erate”  the  occurrence  of  failures  and  thus 
shorten  the  test  time  required  for  evaluation 
of  reliability. 

Acceptable  Quality  Level  -  The  value  of 
percent  defective  associated  in  a  sampling 
plan  with  the  producer’s  risk. 

Acceptance  Number  -  The  largest  number  of 
defectives  that  can  occur  in  a  sample  frorn 
an  inspection  lot  and  still  permit  the  lot  to 
be  accepted. 

Acceptance  Sampling  Plan  —  A  procedure 
which  specifies  the  number  cf  units  of  pro¬ 
duct  which  are  to  be  inspected  (sample  size 
or  series  of  sample  sizes)  and  the  criteria 
for  determining  acceptability  (acceptance 
and  rejection  numbers). 


Acceptance  Sampling  -  A  procedure  in  which 
decisions  to  accept  or  reject  are  based  on 
the  examination  of  samples. 

Acceptance  Tests  —  Tests  to  determine  con¬ 
formance  to  design  or  specifications  as  a 
basis  for  acceptance.  They  may  apply  to 
parts,  equipments,  or  systems. 

Active  Element  —  A  part  that  converts  or 
controls  energy;  e.g.,  transistor,  diode,  elec¬ 
tron  tube,  relay,  valve,  motor,  hydraulic  pump. 

Active  Element  Group  -  An  active  element 
and  its  associated  supporting  (passive)  parts; 
e.g.,  an  amplifier  circuit,  a  relay  circuit,  a 
pump  and  its  plumbing  and  fittings. 

Active  Repair  Time  -  That  portion  of  down¬ 
time  during  which  one  or  more  technicians 
are  working  on  the  system  to  effect  a  repair. 
This  time  includes  preparation  time,  fault- 
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location  time,  fault-correction  time,  and  final 
checkout  time  for  the  system,  and  perhaps 
other  subdivisions  as  required  in  special 
cases. 

Administrative  Downtime  -  That  portion  of 
system  or  equipment  downtime  not  included 
under  active  repair  time  and  logistic  time. 

Arithmetic  Mean  — The  sum  of  a  set  of  values 
divided  by  the  number  in  the  set. 

Assembly  -  A  number  of  parts  or  subassem¬ 
blies  joined  together  to  perform  a  specific 
function. 

Assurance  —  The  relative  confidence  or  cer¬ 
tainty  that  specific  program  objectives  will 
be  achieved. 

Attribute  -  A  characteristic  or  property  that 
a  product  either  does  or  does  not  have;  e.g., 
shorts  and  opens  in  electronic  parts,  leaks 
in  hydraulic  lines,  “stiction”  in  bearings. 

Attributes  Testing  -  “Go/ no-go”  testing  to 
evaluate  whether  a  property  does  or  does  not 
fall  within  specification  limits.  The  product 
is  accepted  if  the  property  falls  within  these 
limits  but  is  rejected  if  the  product  does  not 
fall  within  them;  the  specific  value  of  the 
property  in  either  case  is  not  tested. 

Availability  (Operational  Readiness)  —  The 
probability  that  at  any  point  in  time  the  sys¬ 
tem  is  either  operating  satisfactorily  or  ready 
to  be  placed  in  operation  on  demand  when 
used  under  stated  conditions. 

Average  —  The  arithmetic  mean;  the  average 
of  a  set  of  n  numbers,  xj,  X2,  ...  .  xn,  is  the 
sum  of  the  numbers  divided  by  n; 

__  Xj  +  X2  +  .  .  •  +  Xi  i 

n 


Average  Life  -  The  mean  value  for  a  normal 
distribution  of  lives.  The  term  is  generally 
applied  to  mechanical  failures  resulting  from 
“  wearout”. 

Average  Sample  Number  -  The  average  num¬ 
ber  of  sample  units  inspected  per  lot  in 
reaching  a  decision  to  accept  or  to  reject. 

Basic  Failure  Rate  -  The  basic  failure  rate 
of  a  product  derived  from  the  catastrophic 
failure  rate  of  its  parts,  before  the  applica¬ 
tion  of  use  and  tolerance  factors.  The  failure 
rates  contained  in  MIL-HDBK-217  are  “base” 
failure  rates. 

Breadboard  Model  —  An  assembly  of  pre¬ 
liminary  circuits  and  parts  to  prove  the  feasi¬ 
bility  of  a  device,  a  circuit,  an  equipment,  a 
system,  or  a  principle  in  rough  or  breadboard 
form,  without  regard  to  the  eventual  overall 
design  or  form  of  the  parts. 

Catastrophic  Failure  —  A  sudden  change  in 
the  operating  characteristics  of  an  item  re¬ 
sulting  in  a  complete  loss  of  useful  per¬ 
formance  of  the  item. 

Censored  Data  -  Data  from  sample  items 
when  the  actual  values  pertaining  to  such 
data  are  unknown;  e.g.,  when  it  is  known 
merely  that  the  data  either  exceed  or  are 
less  than  some  value. 

Chance  Failure  -  That  failure  which  occurs 
at  random  within  the  operational  time  of  an 
equipment,  after  all  efforts  have  been  made 
to  eliminate  design  defects  and  unsound  com¬ 
ponents  and  before  wearout  becomes  pre¬ 
dominant. 

Characteristic  -  A  trait,  quality,  or  property 
distinguishing  an  individual,  group,  or  type. 

Checkout  Time  -  The  time  required  to  de¬ 
termine  that  a  system  or  equipment  is  in 
satisfactory  operating  condition. 
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Circular  Error  Probable  -  The  radius  of  the 
circle  within  which  50%  of  the  shots  are 
designated  to  land. 

Complexity  Level  -  A  measure  of  the  num¬ 
ber  of  active  elements  required  to  perform  a 
specific  system  function. 

Confidence  Level  -  The  probability  that  a 
given  statement  is  correct;  the  chance  that 
a  given  value  lies  between  two  confidence 
limits  (the  confidence  interval). 

Confidence  Limits  —  Extremes  of  a  confi¬ 
dence  interval  within  which  the  true  value 
has  a  designated  chance  (confidence  level) 
of  being  included. 

Consumer’s  Reliability  Risk  (£)  -  The  risk, 
or  probability,  that  a  product  will  be  accepted 
by  a  reliability  test  when  it  should  properly 
be  rejected. 

Controlled  Process  -  A  process  tested  or 
verified  by  counter  or  parallel  evidence  of 
experiment. 

Controlled  Test  -  A  test  designed  to  control 
or  balance  out  the  effects  of  environmental 
differences  and  to  minimize  the  chance  of 
bias  in  the  selection,  treatment,  and  analy¬ 
sis  of  test  samples. 


Critical  Defect  —  A  defect  that  judgment  and 
experience  indicate  could  result  in  hazardous 
or  unsafe  conditions  for  individuals  using  or 
maintaining  the  product;  or— for  major  end 
item  units  of  product  such  as  ships,  air¬ 
craft,  or  tanks— a  defect  that  could  prevent 
performance  of  their  tactical  function. 

Debugging  -  A  process  of  “shakedown  oper¬ 
ation”  of  a  finished  equipment  performed 
prior  to  placing  it  in  use.  During  this  period, 
defective  parts  and  workmanship  errors  are 
cleaned  up  under  test  conditions  that  closely 


simulate  field  operational  stresses.  The  de¬ 
bugging  process  is  not,  however,  intended  to 
detect  inherent  weaknesses  in  system  design. 
These  should  have  been  eliminated  in  the 
preproduction  stages  by  appropriate  tech¬ 
niques. 

Degradation  Failure  —  A  failure  which  occurs 
as  a  result  of  a  gradual  or  partial  change  in 
the  characteristics  of  some  part  or  parameter; 
e.g.,  drift  in  electronic  part  characteristics, 
changes  in  lubricant  with  age,  corrosion  of 
metal. 

Derating  -  The  technique  of  using  a  part, 
component,  or  equipment  under  stress  con¬ 
ditions  considerably  below  rated  values,  to 
achieve  a  “reliability  margin”  in  design. 

Design  Adequacy  -  The  probability  that  the 
system  will  satisfy  effectiveness  require¬ 
ments,  given  that  the  system  design  satis¬ 
fies  the  design  specification. 

Discrimination  Ratio  -  A  measure  of  steep¬ 
ness  of  the  OC  curve  for  an  acceptance  test 
between  the  AQL  and  the  LTPD;  i.e.,  the 
capability  of  the  test  to  discriminate  between 
“good”  and  “bad”  product.  Numerically, 
k  =  LTPD/AQL. 

Downtime  -  The  total  time  during  which  the 
system  is  not  in  condition  to  perform  its 
intended  function.  (Downtime  can  in  turn 
be  subdivided  in  the  following  categories: 
corrective  maintenance  time,  preventive 
maintenance  time,  logistic  time,  and  admin¬ 
istrative  time. 

Early  Failure  Period  -  That  period  of  life, 
after  final  assembly,  in  which  failures  occur 
at  an  initially  high  rate  because  of  the  pres¬ 
ence  of  defective  parts  and  workmanship. 

Effectiveness  -  The  probability  that  the 
product  will  accomplish  an  assigned  mission 
successfully  whenever  required. 
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Element  -  One  of  the  constituent  parts  of 
anything.  An  element,  in  fact  may  be  a  part, 
a  subassembly,  an  assembly,  a  unit,  a  set, 
etc. 


Gaussian  Distribution  -  A  density  function 
which  is  bell-shaped  and  symmetrical.  It  is 
completely  defined  by  two  independent  param¬ 
eters,  the  mean  and  standard  deviation. 


Environment  -  The  aggregate  of  all  the  ex¬ 
ternal  conditions  and  influences  affecting 
the  life  and  development  of  the  product. 

Equipment  -  A  product  consisting  of  one  or 
more  units  and  capable  of  performing  at  least 
one  specified  function. 

Exponential  Case  —  The  reliability  charac¬ 
teristics  of  those  products  known  to  exhibit 
a  constant  failure  rate.  Reliability  in  the 
exponential  case  is  given  by  R  =  e*^‘,  where 
A  is  the  failure  rate  and  t  is  the  period  over 
which  reliability  is  measured. 

Exponential  Reliability  Function  —  A  fre¬ 
quency  distribution  that  is  completely  defined 
by  its  mean(MTBF)  which  occurs  when  x  =  1, 
(R  =  e*l  =  .368). 

Failure  -  The  inability  of  a  product  to  per¬ 
form  its  required  function. 

Failure  Mode  Analysis  -  A  study  of  the 
physics  of  failure  to  determine  exactly  how  a 
product  fails  and  what  causes  the  failure. 

Failure  Rate  —  The  expected  number  of  fail¬ 
ures  in  a  given  time  interval.  (For  an  ex¬ 
ponential  distribution  of  times  to  failure,  the 
failure  rate  is  approximately  equal  to  the 
reciprocal  of  the  mean  life.) 

Failure  Probability  -  The  probability  of  fail¬ 
ure  in  a  specified  period  of  time. 

Free  Time  -  The  time  during  which  opera¬ 
tional  use  of  the  product  is  not  required. 
This  time  may  or  may  not  be  downtime,  de¬ 
pending  on  whether  or  not  the  system  is  in 
operable  condition. 


Geometric  Mean  —  The  arithmetic  mean  of 
the  sum  of  the  logarithms  of  a  series  of  num¬ 
bers,  or,  algebraically, 

Xg  =  VAiA2A*.  .  .  .  An 


Goal  —  A  long-term  requirement  implied  by 
specification  or  contract  and  used  primarily 
for  guidance.  Goals  are  usually  not  legally 
binding  because  no  acceptance  test  require¬ 
ments  are  imposed. 

Heterogeneity  —  A  state  or  condition  of  dis¬ 
similarity  of  nature,  kind,  or  degree. 

Homogeneity  -  A  state  or  condition  of  simi¬ 
larity  of  nature,  kind,  oi  degree;  e.g.,  two 
tube  types  found  to  have  the  same  probability 
of  removal  are  said  to  be  homogeneous. 

Human  Error  Reliability  Criteria  -  Criteria 
used  in  the  design  of  a  complex  system  to 
adapt  its  physical  features  to  the  response 
characteristics  of  the  man  who  is  ultimately 
to  be  charged  with  its  operation,  in  order  to 
minimize  reliability  degradation  due  to  op¬ 
erator  (and  maintenance  technician)  error. 
Typical  criteria  include  size,  shape,  and 
location  of  critical  controls;  illumination  and 
configuration  of  visual  displays;  use  of  auto¬ 
matic  error  detection  and  warning  devices; 
modularization  and  physical  arrangement  for 
maintenance  ease. 

Human  Factor  Engineering  -  A  branch  of 
engineering  that  treats  a  complex  equipment 
as  a  unified  man-machine  system,  to  assure 
quantitative  consideration  of  operator  and 
maintenance  influence  on  system  perform¬ 
ance,  reliability,  and  maintainability. 
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Hypothesis  —  An  unproven  proposition  which 
remains  subject  to  doubt  until  proven  true. 

Importance  Factor  -  The  relative  importance 
of  a  particular  equipment  to  total  mission 
effectiveness,  expressed  as  the  permissable 
ratio  of  the  number  of  mission  failures  due  to 
the  equipments  failing  to  the  total  number  of 
failures  of  the  equipment. 

Independent  Failures  —  Those  failures  which 
occur  or  can  occur  without  being  related  to 
the  malfunctioning  of  associated  items.  In 
the  development  of  the  exponential  failure 
law,  it  is  essential  to  assure  that  each  source 
of  potential  independent  failure  which  re¬ 
sults  in  the  complete  malfunction  of  the 
equipment  under  consideration  be  included. 
In  electronic  systems,  signals  are  usually 
cascaded  and  power  sources  are  non-redun- 
dant  so  that  nearly  all  component  parts  in¬ 
troduce  independent  sources  of  catastrophic 
failure.  Such  independent  failures  are,  there¬ 
fore,  the  normal  occurrence  rather  than  the 
exception. 

Induced  Environment  —  The  conditions  of 
shock,  vibration,  temperature,  acceleration, 
pressure,  and  so  forth,  that  are  imposed 
upon  the  system  by  its  particular  application. 

Infant  Mortality  —  Premature  catastrophic- 
type  failures  occurring  at  a  rate  substantially 
greater  than  that  observed  during  subsequent 
life  prior  to  wearout.  Infant  mortality  is 
usually  reduced  by  stringent  quality  control. 

Inherent  Reliability  —  The  reliability  poten¬ 
tial  in  a  given  design  configuration. 

Inspection  by  Attributes  -  Inspection  where¬ 
in  the  unit  of  product  is  classified  simply 
as  defective  or  nondefective  with  respect  to 
a  given  requirement  or  set  of  requirements. 
If  desired,  the  degree  of  nonconformance 


may  be  further  categorized  through  the  use 
of  such  classifications  as  critical,  major, 
and  minor. 

Inspection  by  Variables  -  Inspection  wherein 
a  specified  quality  characteristic  of  a  unit 
of  product  is  measured  on  a  continuous  scale, 
such  as  pounds,  inches,  or  feet  per  second, 
and  a  measurement  is  recorded;  or  inspection 
wherein  certain  characteristics  of  the  sample 
units  are  evaluated  with  respect  to  a  nu¬ 
merical  scale  and  are  expressed  as  precise 
points  along  this  scale.  The  distribution  of 
these  points,  as  established  by  measures  of 
their  central  tendency  and  dispersion,  are 
mathematically  related  to  specified  require¬ 
ments  to  determine  the  degree  of  conformance 
of  the  characteristics. 

Inspection  Level  -  A  term  used  to  indicate 
the  number  of  sample  units  required  for  in¬ 
spection  of  a  given  amount  of  product.  All 
other  things  being  equal,  a  higher  inspection 
level  entails  a  lower  risk  of  acceptance  by 
the  government  of  a  lot  of  inferior  quality, 
and  a  lower  inspection  level  entails  a  higher 
risk. 

Inspection  Lot  —  A  collection  of  units  of 
product  manufactured  or  processed  under 
substantially  the  same  conditions  and  offered 
for  inspection  at  one  time,  or  during  a  fixed 
period  of  time. 


Interaction  —  The  influence  of  one  subsystem 
or  subassembly  on  the  performance  and  re¬ 
liability  behavior  of  another.  Although  gross 
effects  are  qualitatively  predictable,  specific 
interaction  effects  must  usually  be  determined 
by  breadboard  and  development  testing. 

Interchangeability  -  The  ability  to  inter¬ 
change,  without  restriction,  like  equipments 
or  portions  thereof  in  manufacture,  mainte¬ 
nance,  or  operation. 
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Interfaces  -  Boundary  conditions  and  re¬ 
quirements  existing  between  two  or  more 
“mating”  subsystems  or  components  -  -  e.g., 
impedance  matching,  structural  fitting,  ther¬ 
mal  and  vibration  levels. 

Intrinsic  Availability  -  The  probability  that 
the  system  is  operating  satisfactorily  at  any 
point  in  time  when  used  under  stated  condi¬ 
tions,  where  the  time  considered  is  operating 
time  and  active  repair  time. 

Kill  Probability  —  The  probability  that  a 
target  will  be  destroyed.  (See  also  “Effect¬ 
iveness”.) 

Level  of  Significance  —  The  probability  that 
a  decision  to  reject  a  null  hypothesis  will 
be  made. 

Logistic  Downtime  —  That  portion  of  down¬ 
time  during  which  repair  is  delayed  solely 
because  of  the  necessity  for  waiting  for  a 
replacement  part  or  other  subdivision  of  the 
system. 

Longevity  —  Length  of  useful  life  of  a  product, 
to  its  ultimate  wearout  requiring  complete 
rehabilitation.  This  is  a  term  generally  ap¬ 
plied  in  the  definition  of  a  safe,  useful  life 
for  an  equipment  or  system  under  the  con¬ 
ditions  of  storage  and  use  to  which  it  will 
be  exposed  during  its  lifetime. 

Lot  Size  —  A  specific  quantity  of  similar 
material  or  collection  of  similar  units  from  a 
common  source;  in  inspection  work,  the 
quantity  offered  for  inspection  and  accept¬ 
ance  at  any  one  time.  It  may  be  a  collection 
of  raw  material,  parts,  or  subassemblies 
inspected  during  production,  or  a  consign¬ 
ment  of  finished  product  to  be  sent  out  for 
service. 

Lot  Tolerance  Percent  Defective  -  That 
value  of  percent  defective  associated  in  a 


sampling  plan  with  the  consumer’s  risk;  i.e., 
the  value  of  lot  percent  defective  on  an  OC 
curve  corresponding  to  the  value  of  /9, 

Maintainability  —  The  probability  (when 
maintenance  action  is  initiated  under  stated 
conditions)  that  a  system  will  be  restored 
to  its  specified  operational  condition  within 
a  specified  period  of  downtime. 

Maintainability  Function  -  A  plot  of  the 
probability  of  repair  within  time  t,  versus 
maintenance  time. 

Maintenance  Capabilities  -  The  facilities, 
tools,  test  equipment,  drawings,  technical 
publications,  trained  maintenance  personnel, 
engineering  support,  and  spare  parts  required 
to  restore  a  system  to  serviceable  condition. 

Maintenance  Ratio  —  The  number  of  mainte¬ 
nance  man-hours  of  downtime  (tm)  required 
to  support  each  hour  of  operation  (to);  i.e., 
M  =  tm/t0-  This  figure  reflects  the  frequency 
of  failure  of  the  system,  the  amount  of  time 
required  to  locate  and  replace  the  faulty  part, 
and  to  some  extent  the  overall  efficiency  of 
the  maintenance  organization.  This  method 
of  measurement  is  valuable  primarily  to  operat¬ 
ing  agencies  since,  under  a  given  set  of 
operating  conditions,  it  provides  a  figure  of 
merit  for  use  in  estimating  maintenance  man¬ 
power  requirements.  The  numerical  value 
for  maintenance  ratio  may  vary  from  a  very 
poor  rating  of  5  or  10  down  to  a  very  good 
rating  of  0.25  or  less. 

Marginal  Testing  —  A  procedure  for  system 
checking  which  indicates  when  some  portion 
of  the  system  has  deteriorated  to  the  point 
where  there  is  a  high  probability  of  a  system 
failure  during  the  next  operating  period. 


Mean  Life  —  The  arithmetic  average  of 
population  life. 
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Mean  Cycles  to  Failure  -  The  average 
number  of  cycles  to  failure  of  nonrepairable 
items;  i.e.,  the  total  number  of  cycles  under 
specified  conditions  divided  by  the  number 
of  failures  {the  mean  cycles  to  failure  is  the 
reciprocal  of  the  failure  rate  per  cycle). 

Mean  Cycles  Between  Failure  -  The  average 
number  of  operating  cycles  between  failures 
(applicable  to  repairable  items). 


{i.e.,  with  no  malfunctions)  for  the  duration 
of  a  mission,  given  that  it  was  operating  in 
this  mode  at  the  beginning  of  the  mission. 

Mission  Time  -  See  “Operating  Time”. 

Module  -  An  assembly,  subassembly,  or  unit 
packaged  for  ease  of  maintenance  of  the  next 
higher  level  of  assembly,  usually  in  “plug¬ 
in”  form. 


Mean-Time-To-Faiiure  -  The  average  length 
of  time  to  failure  of  nonrepairable  items, 
i.e.,  the  total  operating  time  under  specified 
conditions  divided  by  the  number  of  failures 
during  this  time  (in  the  exponential  case, 
the  mean-time-to-failure  is  the  reciprocal  of 
the  failure  rate  per  unit  time). 

Mean -Time-Between-Failures  -  The  mean 
operate  time  between  failures  (applicable  to 
repairable  items). 

Mean-Time-To-Repair  -  A  measure  of  re- 
pairability,  expressed  as  the  total  repair 
time  over  a  specified  period  divided  by  the 
total  repairs  made  during  that  period. 

Micro-Electronics  —  A  name  that  has  been 
adopted  to  indicate  the  use  of  miniaturization 
techniques  in  the  fabrication  of  replaceable 
modules,  e.g.,  micromodules,  solid-state 
circuits. 

Military  Characteristic  -  Those  essential 
qualities  which  a  system  must  possess  to 
fulfill  a  specific  military  requirement.  (See 
also  “Specific  Operational  Requirement”.) 

Mission  Profile  -  A  description  of  system 
environmental  and  use  duty  cycles  throughout 
the  mission  period  for  which  reliability  is  to 
be  specified. 

Mission  Reliability  —  The  probability  that, 
under  stated  conditions,  the  system  will 
operate  in  the  mode  for  which  it  was  designed 


Module  -  An  assembly,  subassembly,  or 
component  packaged  for  ease  of  maintenance, 
usually  in  “plug-in”  form. 

Multiple  Sampling  —  Sampling  inspection  in 
which,  after  each  sample  is  inspected,  the 
decision  is  made  to  accept,  to  reject,  or  to 
take  another  sample;  but  in  which  there  is  a 
prescribed  maximum  number  of  samples,  after 
which  decision  to  accept  or  to  reject  must 
be  reached. 

NOTE:  Multiple  sampling  as.  defined  here 
sometimes  has  been  called  “sequential 
sampling”  or  “truncated  sequential  sampl¬ 
ing”. 

Natural  Environment  -  External  conditions, 
such  as  temperature,  humidity,  pressure, 
solar  radiation,  rain,  snow,  hail,  or  wind, 
under  which  the  system  is  to  operate  when 
tactically  deployed. 

Natural  Logarithm  -  Log  to  the  base  2.71828. 

Normal  Distribution-See  “Gaussian  Distri¬ 
bution”. 

Null  Hypothesis  —  An  assumed  proposition 
used  for  the  purpose  of  statistical  test. 

Objectives  -  See  “Goals”. 

On-Line  Maintenance  —  Maintenance  perform¬ 
ed  on  a  system  or  equipment  without  inter¬ 
rupting  its  operation.  (See  also  “Reliability- 
With-Repair”.) 
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Operating  Characteristics  (OC)  Curve  -  The 
quality  curve  which  shows  for  a  particular 
sampling  plan  the  relation  between  (1)  the 
fraction  defective  in  a  lot  and  (2)  the  prob¬ 
ability  that  the  sampling  plan  will  accept 
the  lot. 

Operating  Time  —  The  time  during  which  a 
system  or.  equipment  is  actually  operating 
(in  an  “up”  status).  Operating  time  is 
usually  divisible  among  several  operating 
periods  or  conditions,  e.g.,  “standby  time”, 
filament  “on-time”,  preflight  “checkout” 
time,  flight  time. 

Operating  Mode  —  A  specific  function  or 
level  of  performance  by  which  system  per¬ 
formance  is  described. 

Operational  Equipment— An  equipment  which 
when  given  the  opportunity  to  perform  its 
intended  function  does  so  within  its  design 
limits. 

Operational  Maintenance  -  Maintenance  that 
is  performed  without  interrupting  the  satis¬ 
factory  operation  of  the  system.  (See  also 
“On-Line  Maintenance”.) 

Operational  Readiness  —  See  “Availability”. 

Operational  Reliability  —  The  probability 
that  the  system  will  give  specified  perform¬ 
ance  for  a  given  period  of  time  when  used  in 
the  manner  and  for  the  purpose,  intended.  It 
consists  of  the  inherent  equipment  reliability 
as  degraded  by  various  application  factors 
peculiar  to  each  particular  field  condition 
(use  reliability).  The  operational  reliability 
is  thus  peculiar  to  individual  situations  and 
is  not  a  measure  of  inherent  equipment  re¬ 
liability.  As  the  conditions  of  use  approach 
those  under  which  the  inherent  equipment 
reliability  was  measured,  and  as  the  operation 
and  maintenance  approach  the  quality  of  that 


provided  during  the  factory  evaluation,  then 
the  operational  reliability  will  approach  the 
inherent  equipment  reliability. 

Part  -  An  element  of  a  subassembly,  or  an 
assembly,  of  such  construction  that  it  is  not 
practical  to  disassemble  the  element  for 
maintenance  purposes. 

Part  Failure  -  A  breakdown  or  a  partial 
change  in  some  parameter  or  characteristic 
necessitating  replacement  of  the  part  to 
restore  satisfactory  operation  of  a  higher 
assembly;  e.g.,  drift  in  resistor  value,  shorted 
motor  winding. 

Percent  Defective  -  That  proportion  of  a  lot 
which  is  defective. 

Performance  Capability  —  The  probability 
that  the  system  or  equipment  will  perform  its 
intended  function  when  operating  within 
specified  design  limits. 

Pilot  Production  -  Production  of  a  limited 
quantity  of  an  item  using  as  nearly  the  same 
tooling,  methods,  and  inspection  techniques 
as  will  be  used  in  the  full  production. 

Population  —  In  statistical  terminology,  any 
set  of  individuals,  objects,  or  measurements— 
real  or  hypothetical,  finite  or  infinite  in 
number— having  some  common  characteristic. 

Precision  of  Estimate  —  The  size  of  the  in¬ 
terval  within  which  the  population  parameter 
can  be  expected  to  lie  for  a  fixed  proportion 
of  the  times  it  is  estimated,  when  the  para¬ 
meter  is  being  estimated  by  means  of  a  sample 
statistic.  Precision  of  estimating  varies 
with  the  square  root  of  the  number  of  obser¬ 
vations  on  which  it  is  based. 

Prediction  Techniques  —  Methods  for  esti¬ 
mating  future  behavior  of  a  system  on  the 
basis  of  knowledge  of  its  parts,  functions, 
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and  operating  environments,  and  of  their 
interrel  ationsbips. 


use  in  military  systems,  as  authorized  by 
Armed  Service  Procurement  Regulation 
(ASPR). 


Preventive  Maintenance  -  A  procedure  in 
which  the  system  is  periodically  checked 
and/or  reconditioned  in  order  to  prevent  or 
reduce  the  probability  of  failure  or  deteriora¬ 
tion  in  subsequent  service. 

Probability  —  The  likelihood  of  occurrence 
of  a  particular  event,  measured  by  the  ratio 
of  the  number  of  ways  an  event  actually 
occurs  to  the  total  number  of  possibilities. 

Probability  of  Acceptance  -  Probability  that 
a  lot  or  process  will  be  accepted. 

Probability  of  Survival  —  The  likelihood  of 
an  item’s  performing  its  intended  function 
for  a  given  period  of  time  or  number  of  duty 
cycles,  measured  by  the  ratio  of  the  number 
of  survivors  at  time,  t,  to  the  population  at 
the  beginning  of  the  period. 

Producer’s  Reliability  Risk  (a)  -  The  risk 
that  a  batch  of  goods  of  acceptable  reliability 
will  be  rejected  by  a  reliability  test. 

Prototype  —  A  model  suitable  for  complete 
evaluation  of  mechanical  and  electrical  form, 
design,  and  performance.  It  is  of  final 
mechanical  and  electrical  form,  employs  ap¬ 
proved  parts,  and  is  completely  representa¬ 
tive  of  final  equipment. 


Quality  —  An  attribute  or  characteristic  of  a 
product.  In  the  broadest  sense,  “quality” 
embraces  “reliability”;  i.e.,  “reliability” 
is  a  characteristic  of  the  product. 

Quality  Assurance  -  A  broad  te*rm  used  to 
include  both  quality  control  and  quality  en¬ 
gineering.  (See  MIL-Q-9858.) 


Quality  Characteristics  -  Those  properties 
of  an  item  or  process  which  can  be  measured, 
reviewed,  or  observed,  and  which  are  iden¬ 
tified  in  the  drawings,  specifications,  or 
contractual  requirements.  Reliability  be¬ 
comes  a  quality  characteristic  when  so 
defined. 

Quality  Control  -  A  production-oriented 
operation  for  causing  a  process  to  manufac¬ 
ture  a  uniform  product  within  specified  limits 
of  percent  defective  in  accordance  with 
design  requirements. 

Quality  Engineering  -  A  production-oriented 
operation  for  establishing  quality  tests  and 
quality  acceptance  criteria  and  for  interpret¬ 
ing  quality  data.  Quality  engineering  begins 
in  the  early  design  phase,  however,  to  assure 
the  required  level  of  inherent  quality  in  the 
design  ultimately  to  be  produced. 


Qualification  Test  -  Such  testing  of  a  prod¬ 
uct  as  may  be  necessary  to  determine  whether 
or  not  the  product  conforms  to  qualification 
requirements  in  the  applicable  specification. 
Qualification  testing  is  normally  conducted 
independently  of  a  procurement  action  and 
at  the  requestof  a  supplier  seeking  inclusion 
of  his  product  in  a  Qualified  Products  List. 

Qualified  Products  List  (QPL)  -  A  list  of 
items  that  have  been  tested  and  approved  for 


Random  Failure  —  A  failure  which  occurs  at 
an  unpredictable  point  in  time. 

Random  Sample  —  A  sample  in  which  each 
item  in  the  lot  has  an  equal  chance  of  being 
selected  in  the  sample. 

Redundancy  -  The  existence  of  more  than 
one  means  for  accomplishing  a  given  task. 
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Rejection  -  An  action  by  the  customer  in¬ 
dicating  nonacceptance  of  material.  In  most 
cases  material  is  rejected  as  being  non- 
acceptable  with  regard  to  certain  features, 
with  the  understanding  that  upon  correction 
the  material  may  be  resubmitted  for  inspec¬ 
tion  and  acceptance. 

Reliability  —  The  probability  of  performing* 
without  failure  a  specified  function  under 
given  conditions  for  a  specified  period  of 
time. 

Reliability  Assurance  —  The  exercise  of 
positive  and  deliberate  measures  to  provide 
confidence  that  a  specified  reliability  will 
be  obtained. 

Reliability  Control  —  The  coordination  and 
direction  of  technical  reliability  activities 
through  scientific  planning  from  a  system 
point  of  view.  There  is  no  sharp  distinction 
between  modem  reliability  control  and  the 
usual  engineering  management  and  produc¬ 
tion  methods  of  improving  reliability.  Never¬ 
theless,  it  is  important  to  recognize  that 
reliability  control  differs  in  degree  from 
conventional  methods  in  three  respects: 
first,  overall  system  planning  is  emphasized; 
second,  statistical  analysis  of  failure  data 
and  reliability  accomplishment  is  used  as  a 
control;  and  third,  constant  surveillance  of 
the  feedback  of  pertinent  data  is  required  in 
all  phases  of  development,  design,  produc¬ 
tion,  and  use. 

Reliability  Goal  —  The  level  of  reliability 
desired  of  a  design,  often  expressed  as  the 
reliability  design  “objective”  for  develop¬ 
ment  guidance ,  as  contrasted  with  the  mini¬ 
mum  acceptable  reliability  which  is  expressed 
as  a  development  requirement. 

Reliability  Life  Test  -  Testing  of  a  sample 
under  specified  conditions  for  predetermined 
periods  of  time  or  until  a  predetermined  num¬ 
ber  of  failures  has  occurred,  for  the  purpose 


of  estimating  the  mean-time-to-failure  or 
mean-time-between-failures  at  a  specified 
confidence  level. 

Reliability  Operating  Characteristic  Curve  — 

The  operating  characteristic  of  a  reliability 
acceptance  test. 

Reliability  Requirement  -  A  level  of  reli¬ 
ability  expressed  in  an  equipment  specifica¬ 
tion  as  a  design  requirement  and  supported 
with  a  reliability  acceptance  test. 

Reliability-With-Repair  —  Reliability  achiev¬ 
ed  through  the  use  of  redundancy  to  permit 
“on-line”  repairs  or  replacement  of  redundant 
units  without  interruption  of  system  opera¬ 
tion.  (See  also  “On-Line  Maintenance”.) 

Reliability  Index  —  A  figure  of  merit,  such 
as  a  ratio  or  factor,  that  is  used  to  denote 
relative  reliability.  For  example:  (a)  the 
number  of  failures  per  100  or  1000  operations; 
(b)  the  number  of  failures  per  1,  10,  100, 
1000,  or  10,000  equipment  operating  hours 
as  may  be  appropriate  to  the  equipment  ap¬ 
plication;  (c)  the  mean-time-between-failures 
in  equipment  operating  hours. 

Regression  Analysis  —  An  analytical  method 
for  determining  the  correlation  between 
several  variables. 

Repair  Rate  —  A  measure  of  repair  capability; 
i.e.,  number  of  repair  actions  completed  per 
hour  (reciprocal  of  mean-time-to-repair  in  the 
exponential  case). 

Repairabiiily  -  The  probability  that  a  failed 
system  will  be  restored  to  operable  condi¬ 
tion  within  a  specified  active  repair  time. 

Risk  -  The  probability  of  making  an  in¬ 
correct  decision.  (See  also,  Producer’s  Re¬ 
liability  Risk;  Consumer’s  Reliability  Risk.) 

Safety  -  The  quality  of  being  devoid  of 
whatever  exposes  one  to  danger  or  harm. 
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Sampling  Plan  -  A  specific  plan  which 
states  (a)  the  sample  size  and  (b)  the  criteria 
for  accepting,  rejecting,  or  taking  another 
sample. 

Sequential  Test  —  A  test  of  a  sequence  of 
samples  in  which  it  is  decided  at  each 
step  in  the  sequence  whether  to  accept  or 
reject  the  hypothesis,  or  to  take  an  additional 
sample  and  continue  the  test. 

Specific  Operational  Requirement  (SOR)  - 
A  document  prepared  by  OPNAV which  states 
a  need  for  a  capability,  outlines  a  system  or 
equipment  to  satisfy  the  need,  and  states 
the  reasons  for  the  requirement.  The  SOR 
constitutes  a  directive  to  the  appropriate 
Bureau  for  the  preparation  of  a  Technical 
Development  Plan  (TDP)that  will  accomplish 
the  objectives  stated  in  the  SOR. 

Specification  —  A  detailed  description  of  the 
characteristics  of  a  product  and  of  the  criteria 
which  must  be  used  to  determine  whether 
the  product  is  in  conformity  with  the  descrip¬ 
tion. 

Standard  Deviation  —  The  square  root  of  the 
variance  of  a  random  variable  (and  of  its 
distribution).  The  standard  deviation  of  a 
set  of  n  numbers,  xj,  X2,  .  .  .  .  xn,  is  the 
root-mean-square  (r.m.s.)  deviation  of  the 
numbers  (xj)  from  their  average  (x): 

a  =  /  £  (x;  -  5f)2 

\rti 

Stress  Analysis  -  The  evaluation  of  stress 
conditions  (electrical,  thermal,  vibration, 
shock,  humidity,  etc.)  under  which  parts  are 
applied  in  the  design  of  a  system  or  equip¬ 
ment.  On  the  basis  of  a  stress  analysis, 
failure  rates  are  appropriately  adjusted  to 
reflect  the  deleterious  effects  of  the  stresses 
on  the  reliability  of  the  parts  involved. 


Subassembly  -  Two  or  more  parts  which  form 
a  portion  of  an  assembly,  or  form  a  unit  re¬ 
placeable  as  a  whole,  but  having  a  part  or 
parts  which  are  replaceable  as  individuals. 

Subsystem  —  A  major  subdivision  of  a  system 
that  performs  a  specified  function  in  the 
overall  operation  of  a  system. 

Support  Equipment  -  Items  that  are  necessary 
for  the  operation  and/or  maintenance  of  the 
system  but  are  not  physically  part  of  the 
system. 

System  —  A  combination  of  complete  operat¬ 
ing  equipments,  assemblies,  components, 
parts,  or  accessories  interconnected  to  per¬ 
form  a  specific  operational  function. 

System  Compatibility  -  The  ability  of  the 
equipments  within  a  system  to  work  together 
to  perform  the  intended  mission  of  the  system. 
In  a  broader  sense,  system  compatibility 
is  the  suitability  of  a  system  to  provide  the 
levels  of  field  performance,  reliability,  and 
maintainability  required  by  the  military 
services. 

Systems  Engineering  -  The  process  of  apply¬ 
ing  science  and  technology  to  the  study  and 
planning  of  an  overall  system,  whereby  the 
various  parts  of  the  system  and  the  utiliza¬ 
tion  of  various  subsystems  are  fully  planned 
and  comprehended  prior  to  the  time  that 
hardware  designs  are  committed. 

Tactical  Capability  —  See  “Performance 
Capability”. 

Technical  Development  Plan  (TI)P)  -  A 
plan  for  the  fulfillment  of  an  Advanced  De¬ 
velopment  Objective  or  Specific  Operational 
Requirement,  serving  as  a  basic  decision¬ 
making  document  at  Bureau  management 
level.  When  funded,  the  TDP  becomes  the 
primary  management  control  and  reporting 
document  for  the  life  of  the  development 
program.  It  is  essential  that  it  be  kept  up  to 
date  on  a  continuing  basis. 
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Test  to  Failure  -  The  process  of  subjecting 
an  item  to  stress  levels  until  failure  occurs. 

Thermal  Survey  -  The  prediction  or  actual 
measurement  of  part  ambient  temperatures 
in  order  to  detect  the  existence  of  “hot 
spots”  and  to  determine  the  need  for  cooling. 

Tolerance  Factor  -  A  factor  by  which  the 
base  failure  rate  of  a  series  system  is  multi¬ 
plied  to  account  for  failures  due  to  drift 
characteristics  of  active  elements  in  the 
system.  The  tolerance  factor  in  analog 
systems  of  conventional  design  is  propoi> 
tional  to  complexity  and  is  given  by 

kt  53  v'N- 

where  N  is  the  number  of  active  elements 
(the  measure  of  complexity)  used  in  the  per¬ 
formance  of  the  particular  system  function. 


Tolerance  Failure  —  A  system  or  equipment 
failure  resulting  from  multiple  drift  and  in¬ 
stability  problems,  even  though  part  failures 
may  not  have  occurred. 

Truncation  —  Deletion  of  portions  of  a  distri¬ 
bution  greater  than  or  less  than  a  certain 
value.  Truncation  of  a  sequential  test  means 
termination  of  the  test  prior  to  reaching  a 
decision  under  the  sequential  plan. 


Unit  -  An  assembly  or  any  combination  of 
parts,  subassemblies,  and  assemblies 
mounted  together,  and  normally  capable  of 
independent  operation  in  a  variety  of  situa¬ 
tions. 

Uptime  -  The  time  in  which  a  system  is  in 
condition  to  perform  its  intended  function. 

Useful  Life  -  The  total  operating  time  be¬ 
tween  debugging  and  wearout. 

Use  Factor  (ku)  —  A  factor  for  adjusting  base 
failure  rate,  as  determined  from  M1L-HDBK- 
217,  to  specific  use  environments  and  packag¬ 
ing  configurations  other  than  those  applicable 
to  ground  based  systems;  e.g.,  for  Avionics 
equipment,  the  use  factor  (ky)  is  6.5  on  the 
basis  of  conventional  design  (current  ex¬ 
perience  reflected  in  M1L-STD-756). 

Use  Reliability  —  The  probability  of  per¬ 
forming  a  specified  function  without  failure 
under  actual  use  conditions. 

Variables  Testing  -  A  test  procedure  wherein 
the  items  under  test  are  classified  according 
to  quantitative  rather  than  qualitative  charac¬ 
teristics.  Variables  testing  yields  more  in¬ 
formation  than  attributes  testing. 

Wearout  Failure  Period  -  That  period  of  time 
after  the  normal  failure  period  during  which 
the  equipment  failure  rate  increases  above 
the  normal  rate. 
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APPENDIX  2.  RELIABILITY  FORMULAE 

2.1  RELIABILITY  AND  PROBABILITY 


Reliability,  by  definition,  is  a  prob¬ 
ability  concept  — 

" Reliability  is  th a  probability 
of  suceoss...undor  specified 
conditions . " 

A  knowledge  of  basic  probability  theory  is 
therefore  necessary  for  a  full  understanding 
of  the  prediction  and  evaluation  methods 
used  in  the  study  of  reliability.  This  sec¬ 
tion  reviews  some  of  the  probability  con¬ 
cepts,  shown  in  Chart  2-1. 

2.1.1  Probability  Definitions  and 

Concepts  Applicable  to  Reliability 

a.  Definition:  The  probability  of  an 
event  is  the  proportion  of  times  it  is  ex¬ 
pected  to  occur  in  a  Urge  number  nf  trials. 
Specifically,  if  event  A  occurs  in  s  out  of  n 
trials,  the  probability  of  its  occurrence— P(  A), 
or  A— is  the  ratio  s/n  as  n  goes  to  infinity. 
This  is  often  referred  to  as  the  “relative 
frequency”  definition  of  probability. 

EXAMPLE:  Ten  missiles  are  launch¬ 
ed.  Eight  successfully  intercept  the 
target  drone.  The  estimate  of  missile 
reliability  on  future  flights  is  thus 
0.8,  or  80%,  under  the  same  set  of 
“use”  conditions  which  prevailed 
during  the  test. 

As  a  special  case,  the  probability  of 
an  event  is  the  ratio  of  the  m  ways  it  can 
occur  to  the  (m+n)  ways  it  can  occur  and 
fail  to  occur,  respectively,  provided  the  ways 
are  equally  likely  and  mutually  exclusive. 

EXAMPLE:  A  die  is  rolled.  There  is 
one  way  for  a  six  to  appear.  There 
are  five  ways  for  a  six  not  to  appear. 


If  the  die  is  not  “loaded”,  each  of  the 
six  ways  the  die  can  come  to  rest  is 
equally  likely.  The  six  ways  are  also 
mutually  exclusive;  that  is,  only  one 
way  can  occur  at  a  time.  Probability 
of  a  six  on  one  roll  of  a  single  die  is 
then  m=l,  m  +  n  =  5+l,  P(6)  = 
1/(5  +  1)  -  1/6. 

b.  Symbolic  Representation:  lleliabil- 
ity  is  usually  symbolized  mathematically  as 
R(  ),  where  the  time  period  or  element  of  in¬ 
terest  is  indicated  parenthetically.  Prob¬ 
ability  is  usually  represented  by  p,  P,  or 
P(  ),  with  the  time  period  or  element  of  in¬ 
terest  indicated  parenthetically.  R(  )  and 
P(  )  are  interchange^' 'e. 

c.  Ranges  of  Probability  and  Reliabil¬ 
ity  Values:  The  probability  scale  ranges 
from  zero  (denoting  impossibility)  to  1.0 
(denoting  certainty).  If  the  probability  of 
event  A  occurring  is  p,  the  probability  of  A 
not  occurring  is  1-p.  Similarly,  if  the  re¬ 
liability  of  A  is  P^,  then  its  unreliability, 
U^,  is  1— P^.  For  simplicity  in  mathematical 
computation,  P(A)  and  R(A)  can  be  denoted 
by  A;  while  l-P(A)  and  l-R(A)  can  be  de¬ 
noted  by  A  (not  A),  as  shown  in  Figure  2-1. 


2.1.2  Two  Basic  Principles 

In  evaluating  probabilities,  all  pos¬ 
sible  outcomes  of  a  chance  event  must  be 
enumerated.  Two  basic  principles  apply: 

(1)  If  event  A  can  occur  “a”  ways 
and  event  B  can  occur  “b”  ways, 
then  event  A  or  B  (usually  written 
A+B)  can  occur  in  a+b  ways,  pro¬ 
vided  that  A  and  B  cannot  occur 
simultaneously. 

(2)  If  event  A  can  occur  “a”  ways 
and  event  B  can  occur  “b”  ways, 
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CHART  2-1.  FUNDAMENTAL  PROBABILITY  FORMULAE 


Probability  Definitions  and  Notation: 

The  probability  that  event  A  will  occur  is  the 
relative  frequency  with  which  it  occurs  (s)in 
a  large  number  of  trials  (n);  or 

P(A)  =  s/n 

The  number  of  ways  event  (A)  can  occur  (m) 
or  can  fail  to  occur  (n)  in  m+n  mutually  ex¬ 
clusive  ways. 

P(A)  =  m/m  +  n 

P(not  A)  =  P(A)  =  n/m  +  n 

P(A)  +  P{J)  =  1 

Addition  Theorem: 

The  probability  that  either  A  or  B  mutually 
exclusive  events  will  occur. 

P(A  +  B)  =  P(A)  +  P(B) 

The  probability  that  either  A  or  B  (but  not 
both)  will  occur  when  the  events  are  not 
mutually  exclusive. 

P(A  +  B)  =  P(A)  +  P(B)  -  P(AB) 

Multiplication  Theorem: 

The  joint  probability  that  A  and  B  will  occur, 
given  that  B  has  occurred. 

P(A|B)  «  P(A)P(B|A)  =  P(B)P(A1B) 

The  probability  that  both  A  and  B  will  occur, 
when  A  and  B  are  independent  events. 

P(AB)  =  P(A)P(B) 

Permutation  Theorem:  v 

The  number  of  possible  ways  to  arrange 
(permute)  n  events,  k  at  a  time. 

p(n  k)  =  PP  =  n! 

^  Fk  (n-k)! 

n!  =  n(n-l)(n-2)  .  .  .  3-2-1 
o!  =  1 

Combination  Theorem: 

The  number  of  possible  combinations  of  n 
events,  k  at  a  time. 

pn  /n\  n! 

k  *  w  * 

Binomial  Law: 

Probability  of  an  event  occurring  k  times  in 
n  independent  trials  with  probability  p  per 
trial. 
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then  events  A  and  B  (written  AB) 
can  occur  a-b  ways. 

Principle  (1)  is  illustrated  in  Figure 
2-2a.  The  system  is  successful  if  A  or  B  is 
operating.  A  has  two  redundant  elements  and 
B  has  three  redundant  elements.  Since  A 
has  two  paths  for  successful  performance 
and  B  has  three  paths,  the  total  number  of 
ways  for  A  or  B  to  occur  is  2  +  3  ='5. 

Figure  2-2b  illustrates  Principle  (2). 
Since  A  can  occur  two  ways  and  B  can  oc¬ 
cur  three  ways,  A  and  B  can  occur  2-3  =  6 
ways. 


HtOtAMUTY 


Figure  2-1.  Probability  Relationships 
for  an  Event,  A 


(a)  A  OR  B  CAN  OCCUR  M  5  WAYS : 
A+B-2+3-5 


(b)  A  AND  B  CAN  OCCUR  M  6  WAYS: 
AXB»2X3-4 


Figure  2-2.  Basic  Probability  Combinations 
(a)  the  Addition  Theorem  (b)  the  Multiplication  Theorem 


These  two  basic  principles  can  be 
extended  to  more  than  two  events.  For  ex¬ 
ample,  if  three  mutually  exclusive  events, 
A,  B,  and  C,  can  occur  in  a,  b,  and  c  ways, 
respectively,  then  events  A  or  B  or  C  can 
occur  in  a+b+c  ways,  and  events  A  and  B 
and  C  can  occur  in  a-b-c  ways. 


2.1.3  Permutations 

If  the  order  in  which  events  occur  is 
important,  we  are  concerned  with  permuta¬ 
tions.  A  permutation  is  defined  as  a  collec¬ 
tion  of  events  arranged  in  a  specific  order. 
The  total  number  of  permutations  of  three 
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events,  A,  B,  and  C,  can  be  found  in  the 
following  manner:  There  are  three  choices 
for  the  first  event;  either  of  the  two  remaining 
events  may  fill  the  second  position;  and  the 
one  remaining  event  must  fill  the  last  posi¬ 
tion.  By  Principle  (2),  the  total  number  of 
permutations  possible  is  3-2-1  =  6.  In  gen¬ 
eral,  the  total  number  of  permutations  pos¬ 
sible  in  n  distinct  events  or  objects  is  equal 
to  n(n-l)(n-2)... 3-2-1  or  n!  (n  factorial). 

In  considering  the  number  of  permuta¬ 
tions  of  k  objects  out  of  n,  there  are  n  ways 
for  the  first  position,  (n-1)  ways  for  the  sec¬ 
ond,  and  so  on.  When  we  come  to  the  kl“ 
position,  (k-1)  of  the  objects  will  have  been 
used,  so  that  the  k1*1  position  can  be  filled 
in  n-(k-l)  ways.  The  symbol  P(n,k)  is  used 
to  denote  the  number  of  permutations  of  k 
out  of  n  objects: 

P(n,k)  =  n(n-l)(n-2)...(n-k+l) 
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n! 

MO! 


(2-1) 


EXAMPLE:  Find  the  probability  of 
losing  output  Eo,  of  Figure  2-3,  after 
three  diodes  have  shorted.  From 
Equation  (2-1),  the  total  number  of 
permutations  of  three  out  of  five  diodes 
is  (50/(2!)  *  60.  Output  Eo  will  be 
absent  through  short  circuiting  only 
after  diodes  A,  B,  and  C  short.  This 
can  occur  in  3!  =  6  ways.  If  all  pos¬ 
sible  permutations  are  equally  likely, 
the  probability  of  loss  of  Eo  after 
three  diodes  have  shorted  then  is 
6/60  -  0.10 

2.1.4  Combinations 

A  combination  is  the  number  of  differ¬ 
ent  ways  k  out  of  n  objects  can  be  selected 
without  regard  to  the  order  of  arrangement. 
This  is  denoted  by: 


Figure  2-3.  Failure  by  Shorting 
of  A,  B  and  C  Result  in  Loss  of  Eq 


n\  _  P(n,k)  _  n! 
k/  "  k!  k!(n-k)! 


(2-2) 


Equation  (2-2)  can  be  used  to  solve 
the  example  given  in  2.1.3.  From  the  circuit 
in  Figure  2-3  there  is  only  one  combination 
of  three  diodes  shorting  which  will  result  in 
the  loss  of  Eo,  namely  ABC.  The  total  num¬ 
ber  of  combinations  of  five  diodes  taken 
three  at  a  time  is 

/5\  =_5! _ 1-2-3-4-5  _  120  =  10 

\3/  3!2!  (1-2 -3X1-2)  (6)(2) 


of  which  only  one  (ABC)  will  produce  a 
short.  Therefore,  the  probability  of  ABC 
shorting  =  1/10  =  0.10,  as  before. 
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2.1.5  Fundamentol  Rules  lor 
Probability  Computations 

(1)  The  Addition  Rule:  If  A  and  B 
are  two  mutually  exclusive  events,  i.e. ,  oc¬ 
currence  of  either  event  excludes  the  other, 
the  probability  of  either  of  them  happening 
is  the  sum  of  their  respective  probabilities: 

P(A  or  B)  =  P(A+B)  =  P(A)  +P(B)  (2-3) 

This  rule  follows  directly  from  principle  (1) 
of  2.1.2  and  can  apply  to  any  number  of 
mutually  exclusive  events. 

P(A+B...+N)  =  P(A)  +  P(B)...+P(N)  (2-4) 

(2)  The  Addition  Rule  (non-exclusive 
case):  If  A  and  B  are  two  events  not  mu¬ 
tually  exclusive,  i.e.,  either  or  both  can  oc¬ 
cur,  the  probability  of  at  least  one  of  them 
occurring  is 

P(A  or  B)  =  P(A+B)  (2-5) 

=  P(A)  +  P(B)  -  P(AB) 

The  equation  for  three  events  becomes: 

P(A+B+C)  =  P(A)  +  P(B)  +  P(C)  (2-6)- 
-  P(AB)  -  P(AC)  -  P(BC) 

+  P(XBC) 

Rule  (2)  can  be  extended  to  any  num¬ 
ber  of  events. 

EXAMPLE:  If  event  A  is  a  face  card 
and  event  B  is  a  spade,  they  are  not 
mutually  exclusive,  i.e.,  the  occur¬ 
rence  of  one  does  not  preclude  the 
occurrence  of  the  other.  There  are  12 
ways  to  draw  a  face  card;  there  are 
13  ways  to  draw  a  spade.  There  are 
3  ways  to  draw  a  face  card  in  the 
spade  suit.  The  probability  of  at 
least  a  face  card  or  a  spade  on  the 
first  draw  is: 


P(A+B)  =  P(A)  +  P(B)  -  P(AB) 


12  13 

12 

13 

52  52 

52 

52 

12  +  13 

3 

22 

52  52 

52 

52 

(3)  The  Multiplication  Rule:  If  events 
A  and  Bare  independent,  i.e.,  the  occurrence 
of  one  does  not  affect  the  probability  of  oc¬ 
currence  of  the  other,  the  probability  that 
both  will  occur  is  equal  to  the  product  of 
their  respective  probabilities. 

P(A  and  B)  =  P(AB)  =  P(A)P(B)  (2-7) 

Equation  (2-7)  may  be  extended  to  any 
number  of  independent  events: 

P(AB...N)  =  P(A)P(B)  ...  P(N) 

This  is  known  as  the  product  or  multiplica¬ 
tion  law  for  independent  events  used  in  re¬ 
liability  prediction  techniques. 

EXAMPLE:  A  weapon  system  is  made 
up  of  a  radar  set,  computer,  launcher, 
and  a  missile.  Each  has  an  indepen¬ 
dent  probability  of  successful  opera¬ 
tion  over  a  particular  time  period  of 
0.87,  0.85,  0.988,  and  0.80,  respec¬ 
tively.  The  probability  of  successful 
system  operation  for  the  same  time 
interval  is  the  product  of  the  individual 
subsystem  probabilities,  or  (0.87) 
(0.85)(0. 988X0.80)  =  0.585. 

(4)  Conditional  Probabilities :  If 

events  A  and  B  are  not  independent,  i.e., 
the  occurrence  of  one  affects  the  probability 
of  occurrence  of  the  other,  a  conditional 
probability  exists.  The  probability  of  A 
given  that  B  has  occurred  is  denoted  by 
P(A|B),  and  similarly  B  given  A  is  denoted 
by  P(B|A).  Thus  if  A  and  B  are  not  inde- 
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pendent,  then  the  probability  of  both  occur¬ 
ring  is 

PUB)  =  PU)P(B|A)  (2-8) 

=  P(B)P(A|B) 

If  A  and  B  are  independent,  P(A|B)  =  P(A) 
and  P(B|A)  =  P(B)  and  Equation  (2-8)  re¬ 
duces  to  Equation  (2-7). 

For  three  events  A,  B,  and  C 

P(ABC)  *  P(A)P(B)P(C|AB)  (2-9) 

EXAMPLE:  The  probability  of  draw¬ 
ing  two  hearts  in  sequence  from  a  deck 
of  cards  in  two  draws  is  conditional 
on  the  first  draw.  Since  there  are  13 
hearts  in  a  deck  of  52  cards,  the  prob¬ 
ability  of  a  heart  on  the  first  draw, 
P(A),  equals  13/52,  or  0.25.  If  the 
first  draw  was  a  heart,  there  are  12 
hearts  left  in  a  reduced  deck  of  51 
cards.  Thus,  the  probability  of  draw¬ 
ing  a  heart  on  the  second  draw  if  the 
first  draw  was  a  heart,  P(B|A),  is 
12/51,  or  0.235.  The  probability  of 
drawing  two  hearts  in  sequence,  P(AB), 
is  then 

PUB)  =  P(A)PUtB) 

=  (0.25X0.235) 


EXAMPLE:  A  redundant  circuit  has 
five  components.  The  circuit  will  op¬ 
erate  successfully  if  at  least  two  of 
the  five  components  are  operating,  p 
is  the  probability  of  each  component 
failing.  The  failure  of  one  component 
has  no  effect  on  the  performance  of  the 
other  components.  The  probability  of 
system  success  is  equal  to  1  -  [(prob¬ 
ability  of  exactly  four  components 
failing)  +■  (probability  of  exactly  five 
components  failing)].  Using  Equation 
(2-10)  and  letting  k  equal  the  number 
of  failures, 

R  =  1  *  [Q)  p^i-p)1  +  (|)  p5U-p)°] 

=  1  -  [5p4(l-p)  +  p5^] 

=  l-^5p4-4p^]  (2-11) 

The  binomial  law  is  treated  as  a  dis¬ 
crete  distribution  in  more  detail  in  2.2. 

2.1.7  Application  of  Basic  Rules  of 
Probability 

The  probability  of  the  simultaneous 
occurrence  of  A  and  B  is  the  product  of  the 
unconditional  probability  of  event  A  and  the 
conditional  probability  of  B,  given  that  A 
has  occurred: 


=  0.058 

2.1.6  The  Binomial  Law 

If  the  probability  of  an  event  occurring 
in  a  single  trial  is  p,  the  probability  of  it 
occurring  exactly  k  times  out  of  n  independent 
trials  is  given  by  the  binomial  law: 

P(k,n|p)  .  (»)  pk(l-p)"-k 

wherc(k)  -  kirai  <”•> 


(AB)  =  (A)(B|A)  (2-8) 

This  more  general  version  of  the  rules 
takes  account  of  instances  in  which  the 
events  are  not  independent  nor  mutually  ex¬ 
clusive.  These  instances  do  not  give  rise 
to  different  rules;  however,  care  must  be 
taken  to  separate  the  events  into  indepen¬ 
dent  groups  before  adding  or  multiplying 
probabilities,  as  the  case  may  be.  For  ex¬ 
ample,  consider  the  failure  of  a  particular 
electronic  equipment.  There  are  failures 
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arising  from  transistors  and  failures  arising 
from  capacitors- to  mention  only  two  pos¬ 
sibilities.  These  failures  are  not  mutually 
exclusive  since  a  failure  from  a  transistor 
does  not  exclude  failure  from  capacitors.  If 
the&>3  events  are  separated  into  mutually  ex¬ 
clusive  subclasses,  the  following  events  and 
probabilities  are  apparent  (let  A  be  failure 
from  transistors  and  B  failure  from  capaci¬ 
tors): 

(1)  Failure  from  transistors  alone,  as¬ 
suming  no  simultaneous  failures 
from  capacitors,  with  probability 

(A)  -  (ABj 

(2)  Failure  from  capacitors  alone  (no 
simultaneous  failures  from  trans¬ 
istors),  with  probability 

(B)  -  (AB) 

(3)  Failure  from  both  transistors  and 
capacitors  simultaneously  (assum¬ 
ing  that  they  are  independent), 
with  probability 

(AB) 

The  probability  of  failure  from  either 
transistors  or  capacitors  (A  or  B)  is  obtained 
by  applying  the  additive  rule— a  valid  pro¬ 
cedure  since,  as  written,  the  three  events 
are  mutually  exclusive.  This  gives 

[(A)  -  (AB)]  +  [(B)  -  (AB)]  +  (AB) 

=  (A)  +  (B)  -  (AB) 

The  same  procedure  is  extendible  to  more 
than  two  cases. 

The  probability  of  occurrence  of  either 
A  or  B  can  also  be  obtained  as  the  probabil¬ 
ity  of  A  plus  the  probability  of'not  A  and  B. 
This  is 


(A)  +  am)  =  (a)  +  a  -  (ah  (B) 

=  (A)  +  (B)  -  (A)(B) 

=  (A)  Hr  (B)  -  (AB), 

as  before. 

Similarly,  the  probability  of  occurrence 
of  either  A,  B,  or  C  is  obtained  as  the  sum 
of  two  probabilities: 

(1)  The  probability  of  A,  and 

(2)  The  probability  of  “not  A”  but 
either  B  or  C 

These  are 
(A) 

and 

[1  -  (A)]  [(B)  +  (C)  -  (BC)], 
respectively.  The  sum  is 

(A)  +  (B)  +  (C)  -  ( A)(B)  -  ( A)(C)  -  (BC)  +  (A)(BC) 
=  (A)  +  (B)  +  (C)  -  (AB)  -  (AC)  -  (BC)  +  (ABC) 

=»A  + AB  +  ABC 

These  events  can  be  seen  graphically 
in  Figure  2-4.  All  events  appear  as  over¬ 
lapping  circles,  i.e.,  points  in  the  circles 
represent  ways  A,  B,  or  C  can  occur.  The 
first  event  in  the  series  is  the  A  circle.  The 
second  event  is  the  part  of  the  B  circle  that 
is  not  inside  the  A  circle.  The  sum  of  the 
first  two  events  is  the  sum  of  these  two 
areas.  The  third  event  is  that  part  of  the 
area  in  the  C  circle  which  is  not  in  the  A 
and  B  circles,  or,  stated  another  way,  it  is 
the  portion  of  the  C  circle  not  included  in  the 
area  represented  by  the  first  two  events  in 
the  series,  and  so  on. 
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2.1.8  A  General  Method  for  Solving 

Probability  Problems — An  Example 

The  relative-frequency  definition  of 
probability  (2.1.1)  is  by  itself  a  very  useful 
tool  for  solving  probability  problems.  It 
does  two  things: 

(1)  It  permits  the  use  of  observed 
data  on  the  proportion  of  succes¬ 
ses  as  an  estimate  of  the  prob¬ 
ability  of  success,  and 

(2)  It  permits  the  use  of  the  estimate 
of  probability  in  predicting  the 
proportion  of  future  successes. 

The  first  item  is  the  input  data  needed  in 
solving  the  problem;  the  second  item  is  the 
inference  or  prediction. 

As  an  example,  consider  an  equipment 
consisting  of  three  black  boxes  denoted  by 
A,  B,  and  C.  In  a  particular  use  of  this 
equipment,  the  failure  of  one  of  the  boxes 
does  not  influence  the  failure  of  either  of 
the  others.  Denote  by  a,  b,  and  c  the  suc¬ 
cessful  operation  of  boxes  A,  B,  and  C, 
respectively;  and  dendte  by  a,  B,  and  c  the 
failure  of  A,  B,  and  C,  respectively.  As¬ 
sume  that  success  and  failure  have  occurred 
in  the  following  proportions  of  trials: 

Success  Failure 
A  a  =  1/2  a  =  1/2 

B  b  =  2/3  B  =  1/3 

C  c  =  4/5  c  =  1/5 

A  “trial”  is  defined  as  a  mission  in¬ 
volving  a  time  period  of  fixed  duration. 
The  table  expresses  the  equality  of  the  ob¬ 
served  relative  frequencies  of  the  corres¬ 
ponding  probabilities. 


From  the  above  probabilities,  the 
failures  expected  in  a  number  of  future  mis¬ 
sions  can  be  computed.  Each  of  the  three 
boxes  will  or  will  not  fail  in  all  possible 
combinations.  Probabilities  for  the  separate 
combinations  of  A,  B,  and  C  are  estimated 
in  sequence  as  follows. 

Consider  60  future  missions.  In  60a 
=  30  of  these,  A  will  operate  properly.  Of 
the  30  in  which  A  operates  properly,  B  will 
operate  in  30b  =  20.  Similarly,  of  the  20 
missions  in  which  B  will  operate  properly, 
C  will  operate  satisfactorily  in  20c  =  16 
cases.  Thus,  for  the  next  60  missions,  16 
of  them  will  have  A,  B,  and  C  working  satis¬ 
factorily. 

The  process  is  easier  to  follow  when 
the  computations  are  expressed  in  a  sys¬ 
tematic  form,  as  shown  in  the  table. 


60 


abc 

abc 

aBc 

aBc 

abc 

abc 

aBc 

aBc 


TOTAL  60 


Probabilities  for  any  combination  can 
now  be  computed  as  the  ratio  of  the  number 
of  missions  with  the  particular  failure  com¬ 
bination  to  the  total  number  of  missions  at¬ 
tempted  (60).  Thus,  the  probability  that  A 
and  B  fail  while  C  does  not  is  8/60  =  2/15, 
the  8  being  indicated  above  by  aBc. 


NAVWEPS  00-65-502 

There  is  a  special  significance  in  the  CASe  , 
method  of  identification:  the  indicated 

product  is  the  probability.  For  example,  the 
aBc  product  is  (l/2)(l/3)(4/5)  =  2/15  as 
computed  above.  Furthermore,  the  8  mis¬ 
sions  noted  for  this  case  can  be  computed 
by  the  formula  60  aBc,  if  a,  5,  and  c  are  used  ; 

to  denote  probabilities.  The  product  aBc 
illustrates  the  “both-and”  theorem  in  prob¬ 
ability.  The  multiplication  by  60  reflects 
the  definition  of  probability  as  th 
number  of  occurrences  of  an  event  n,  0i«,en 
number  of  trials. 

CASE  3 

It  is  also  possible  to  illustrate  the 
“either-or”  theorem  in  which  probabilities 
are  added.  Thus,  the  probability  that  A  and 
B  both  fail,  regardless  of  C,  is  shown  as 
10/60  =  1/6,  the  numerator  10  being  obtained  0/58  4 
by  the  computations  listed  above.  It  could 
be  denoted  by  aE,  the  formula  for  this  prob¬ 
ability.  It  can  also  be  obtained  as  aBc  +  aBc 
=  aB(c+c)  =  aE.  In  terms  of  the  number  of  Figure  2-5.  Four  Possible  Combinations 
missions,  this  is  8  for  aBc  and  2  for  aBc.  of  Units  A,  B  and  C 


The  failure  of  a  component  or  “black 
box”  may  or  may  not  mean  system  failure, 
depending  on  the  series  or  parallel  arrange¬ 
ment  of  the  boxes  in  a  particular  operating 
mode.  Hence,  it  is  necessary  to  look  at  a 
number  of  possible  arrangements  of  boxes  A, 
B,  and  C  in  the  present  example.  Four  pos¬ 
sible  cases  are  diagramed  in  Figure  2-5. 

Failure-free  operation  of  the  system 
in  each  of  the  four  cases  requires  the  follow¬ 
ing  conditions: 

Case  1.  None  of  the  three  boxes  can 
fail. 

Case  2.  Not  more  than  two  of  the 
boxes  can  fail. 


Case  3.  Box  C  must  not  fail  and  at 
least  one  of  the  other  two 
boxes  must  operate  without 
failure. 

Case  4.  Boxes  A  and  B  must  operate 
without  failure  if  box  C  fails, 
but  the  system  will  operate  if 
boxC  does  not  fail  regardless 
of  what  happens  to  boxes  A 
and  B. 


Using  these  conditions,  it  is  now  pos¬ 
sible  to  tabulate  the  number  of  successful 
missions  for  each  of  the  four  cases.  The 
failure  combinations  are  identified  by  the 
associated  probabilities  in  the  following 
table. 
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SUCCESSFUL  MISSIONS 


The  identification  of  the  failure  com¬ 
bination  is  the  formula  for  the  probability 
of  the  combination.  Therefore,  the  formula 
for  the  probability  of  successful  equipment 
operation  in  each  of  the  four  cases  can  be 
written  as  the  sum  of  the  identifications  for 
the  recorded  entities.  These  are  as  fol¬ 
lows: 

Case  Probability  of  Success 

1  abc 

2  abc  +  ab^  +  aEc  +  aEc  +  abc 

+  abc  +  aEc 

3  abc  +  aEc  +  abc 

4  abc  +  abc  +  aEc  +  abc  +  aEc 

These  formulae  can  be  simplified  for  cases 
2,  3,  and  4.  Thus,  for  case  2  the  formula  is 

1  -  aEc  ora  +  b  +  c-  ab-ac-bc  +  abc 
For  case  3,  the  formula  is 

ac  +  abc  or  c(a  +  ab)  or  c(a  +  b  -  ab) 


For  case  4,  the  formula  is 
0 

c  +  abc  or  c  +  ab  -  abc 


2.1.9  Probability  and  Time 

The  probability  formulae  and  examples 
given  thus  far  have  related  to  missions  of 
fixed  time  duration,  where  time  was  con¬ 
sidered  a  constant  factor.  In  most  applica¬ 
tions  of  probability  theory  to  reliability 
engineering,  the  events  being  studied  are 
expressed  as  continuous  functions  of  time. 
Hence  the  probabilities  are  not  constants  but 
are  functions  of  the  time  variable,  denoted 
by  t.  The  probability  formulae  given  above 
hold  equally  well  when  interpreted  as  func¬ 
tions  of  time.  For  example,  the  reliability 
at  time  t  is  equivalent  to  a  probability  of  no 
failure  before  t.  If  we  have  a  system  com¬ 
posed  of  two  equipments,  a  and  b,  each 
having  an  independent  probability  of  suc¬ 
cessful  operation,  then  by  the  multiplication 
law  the  probability  of  successful  system 
operation  at  time  t  is 

R.b(t)  -  R.M  ■  R„<*>  -  RSU> 

If  we  have  two  equipments  a  and  b  and  if 
the  system  is  successful  at  time  t  if  either 
or  both  a,  b  are  operable,  then  by  the  addi¬ 
tion  law 

Hs(.)  -  R.(t)  +  Rb(.)  -  R.b(l> 


In  the  example  of  2.1.8,  the  system 
success  was  defined  as  failure-free  perfor¬ 
mance  for  the  duration  of  a  mission  of  a 
fixed  length.  If  the  equipment  were  used 
for  a  longer  time,  one  would  expect  lower 
probabilities  of  success.  This  can  be  repre¬ 
sented  in  general  by  replacing  the  numerical 
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probabilities  by  functions  of  time.  Let 
Rp(t),  Ru(t),  and  Rc(t)  represept  the  probabil¬ 
ities  of  failure-free  operation  for  a  mission  of 
length  t  for  boxes  A,  B,  and  C,  respectively. 
Failure  probabilities  will  bel-Ra(t),  1-Rjj(t), 
and  1-Rc(t).  If  individual  boxes  follow  the 
exponential  law  (usually  the  case  in  non- 
redundant  designs),  then: 

Ra(t)  =  e*xt 
Rb(t)  =  e-r* 

Rc(t)  =  e"zt 

The  probability  of  equipment  success, 
using  these  reliability  expressions,  is: 


Case  Probability  of  Success 

j  e-(x+y+z) 

2  e*xt  +  e-y1  +  e'zt  -  e*(x+y)l 

_  e-(x+z)t  _  e-(y+z)t 
+  e-(x+y+z)t 

3  e*zt  (e*xt  +  e*yl -e*(x+y)l) 

4  e-zt  +  e-(x+y)t  _  e-(x+y+z)t 

The  function  for  case  1  is  of  the  same 
form  as  the  functions  for  the  black  boxes— 
namely,  an  exponential.  In  all  other  cases, 
the  equipment  probability  of  success  is  not 
exponential,  but  instead  is  quite  complex. 
This  point  is  discussed  further  in  the  sec¬ 
tion  on  redundancy. 


2.2  PROBABILITY  DENSITY  AND  DISTRIBUTION  FUNCTIONS 


A  probability  distribution  is  the  rela¬ 
tive  frequency  with  which  certain  events 
occur.  In  reliability  work,  the  term  “event" 
is  usually  related  to  failure  time  by  con¬ 
sidering  the  time  at  which  failures  occur  or 
by  considering  the  number  of  failures  that 
occur  in  a  fixed  time  interval.  In  order  to 
predict  .system  reliability,  it  is  necessary 
to  know  the  part  or  component  failure  prob¬ 
ability  distributions.  The  more  common 
failure  probability  distributions  used  in 
reliability  engineering  are  discussed  in  this 
section. 

Discrete  and  Continuous  Probability 
Distributions 

Probability  distributions  are  classi¬ 
fied  in  two  general  categories,  discrete  and 
continuous.  In  a  discrete  distribution  the 
random  variable  can  take  on  only  isolated 
values  and  can  change  only  by  set  incre¬ 
ments,  as  shown  in  Figure  2-6. 


«*) 


0  I  2  3  4  ;  5  6  \  7 

®  ® 

Figure  2-6.  A  Discrete  Probability 
Distribution 

If  a  random  variable  can  take  on  any 
value  within  an  interval,  then  the  associated 
probability  distribution  is  continuous,  as 
illustrated  in  Figure  2-7. 
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«w 


Figure  2-7.  A  Continuous  Probability 
Distribution 


In  both  cases,  x  represents  the  random 
variable,  and  f(x)  the  probability  distribution 
or  probability  density  function  (pdf)  of  x. 
f(x)  has  the  following  properties: 

(1)  f(x)  is  always  positive,  with  unity 
area: 


£  f(x)  =  1  if  x  is  discrete 

X 


or 


dx  =  1  if  x  is  continuous 


Cumulative  Density  Functions 

Associated  with  every  pdf  is  a  cumula¬ 
tive  density  function  (cdf)  of  x,  denoted  by 
F(x).  The  cdf  is  defined  as  the  probability 
that  the  value  of  the  random  variable  x  will 
be  less  than  or  equal  to  some  specific  value 
of  x,  such  as  “b”  for  example,  shown  in 
Figures  2-8  and  2-9. 


roo 


(2)  The  probability  that  x  will  take  on 
a  value  in  the  interval  [a,b]  is 
equal  to  the  area  between  the  two 
points: 


Figure  2-8.  A  Discrete  Cumulative 
Distribution  Function 


£f(x)  if  x  is  discrete 

x  =  a 


or 


if  x  is 


continuous 


For  a  discrete  random  variable,  at  x  =  b, 
F(b)  =  £f(x) 

x  =0 

where  0  is  the  lower  limit  of  the  range  of  x. 
For  a  continuous  random  variable,  at  x  =  b, 
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Figure  2-9.  A  Continuous  Cumulative 
Distribution  Function 


p  =  X  XjfW  for  discrete 

x  variables 

The  population  mean  is  estimated  from 
sample  readings  as  the  average  value  of  x 
in  n  readings: 


u 

;-L  V  X. 
n  x=l  1 


for  n  samples 


The  second  moment  of  a  distribution, 
the  variance  (a2),  is  a  measure  of  dispersion 
from  the  mean.  It  is  the  average  value  of 
the  square  of  the  deviation  of  individual 
items  from  the  mean.  It  corresponds  to  the 
moment  of  inertia  of  the  distribution  about 
the  mean.  Variance  is  defined  by  the  equa¬ 
tions 


Parameters  and  Moments  of  Distribution 

Most  probability  distribution  or  density 
functions  contain  certain  constants  called 
parameters.  These  parameters  completely 
specify  the  function. 


u2  =  2  (*.  -  ?)2  f(x) 

X  1 


for  discrete 
variable  s 


o2=  f“(x-P)2f(x)dx 

J-oo 


for  continuous 
variables 


Probability  distributions  are  described 
by  their  moments.  Moments  can  be  thought 
of  as  descriptive  properties  of  a  probability 
distribution  and  are  usually  related  to  the 
parameters  in  the  probability  distribution 
function. 


The  variance  is  usually  estimated  by 

o2  «.  S2  =-^r  X  (x.  -  x)2  for  n 

x=f  samples 


The  first  two  moments  are  of  major 
importance.  The  first  is  the  mean  (p)  of  the 
distribution.  This  is  the  x  coordinate  of 
the  center  of  gravity  of  the  area  under  the 
probability  density  curve.  Essentially,  the 
mean  is  the  arithmetic  average  of  the  values 
of  all  the  members  in  a  population. 

The  population  mean  is  defined  as 

p  =  I  xf(x)dx  for  continuous 
variables 


Two  of  the  most  commonly  encountered 
discrete  distributions  are  the  Binomial  and 
the  Poisson.  Both  are  described  in  detail 
in  2.2.1  and  2.2.2,  respectively.  In  general, 
discrete  data  do  not  furnish  as  much  infor¬ 
mation  as  continuous  measurements,  but  in 
many  cases  only  discrete  data  are  available 
because  of  time  or  economic  limitations,  or 
because  of  the  inherent  characteristics  of 
the  phenomenon  being  examined.  Continuous 
probability  distributions  are  presented  in 
more  detail  in  2.2.3  through  2.2.6. 
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2.2.1  The  Binomial  Distribution 

If  a  variable  can  be  classified  into 
two  mutually  exclusive  and  exhaustive  cate¬ 
gories  (i.e.,  every  value  will  lie  in  one  of 
the  categories  and  no  value  will  lie  in  both) 
—for  example,  head  or  tail,  black  or  white— 
and  if  the  probability  of  observing  each  of 
the  categories  on  any  trial  is  constant,  then 
the  variable  is  distributed  by  the  binomial 
law. 


The  usual  procedure  is  to  term  one  of 
the  two  categories  a  success  and  the  other 
a  failure.  If  p  is  the  constant  probability  of 
success  and  q  =  1-p  is  the  constant  prob¬ 
ability  of  failure,  then  the  distribution  of 
the  number  of  successes  x  in  n  total  trials 
is  given  by  the  binomial  pdf 


A  part  will  be  in  one  of  two  categories 
—defective  or  non-defective.  The  probability 
of  a  defective  part,  p,  is  0.05  and  the  prob¬ 
ability  of  a  non-defective  part,  q,  is  0.95. 
Sample  size,  n,  is  30,  and  the  specific  value 
of  the  random  variable  “number  of  defec- 
lives,”  s,  is  less  than  or  equal  to  2.  Using 
the  cumulative  binomial  density  function, 
Equation  (2-13),  the  probability  of  accepting 
the  lot,  P(a),  is  equal  to  the  probability  of 
zero,  one,  or  two  defectives  in  a  sample  of 
30: 


P(a)  =  |  30  (.05)*(.95)30'* 

x  -o 


30! 

0!30! 


(.05)°  (.95)30 


fW-(;)pY-x,i»0,  1,  2  ...  n 


30! 

1!29! 


(.05)1  (.9512  9 


and 


n! 

x!(n-x) ! 


(2-12) 


FIX) 


2  M 

s-0 


The  probability  that  x  <  X  is  given  by 
the  binomial  cumulative  distribution  func¬ 
tion  (cdf) 

F(X)  =  |  (j)  pVx.  X  <  n(2-13) 

The  mean  of  the  binomial  variable  x 
is  equal  to  np,  and  the  variance  is  equal  to 
npq. 

EXAMPLE:  Assume  a  very  large  lot 
of  identical  parts.  Past  experience 
has  shown  that  the  probability  of  a 
defective  part  is  equal  to  0.05.  The 
acceptance  sampling  plan  for  lots  of 
these  parts  is  to  randomly  select  30 
parts  for  inspection  and  accept  the  lot 
if  2  or  less  defectives  are  found.  We 
wish  to  find  the  probability  of  ac¬ 
cepting  the  lot. 


Figure  2-10.  Cumulative  Binomial 
Probability  Density  Function 
for  n=30,  p=.05 


0 


1  2  3  4  5 

NUMMt  OF  SUCCESSES  (X) 


6 


Figure  2*11.  Binomial  Probability 
Distribution  Function  for 
n=30,  p=.05 


+ 


30! 

2!28! 


(.05 J2  (.95)28 


-  0.812 

Figure  2-10  shows  this  cumulative 
density  function  for  the  above  parameters. 
Figure  2-11  shows  the  binomial  probability 
distribution  function  for  this  same  problem. 
From  it,  the  probability  of  no  defectives  in 
the  lot  is  0.22,  of  exactly  one  defective,  is 
0.33,  etc. 


EXAMPLE:  The  binomial  is  useful 
for  computing  the  probability  of  sys¬ 
tem  success  when  the  system  employs 
partial  redundancy.  Assume  a  five- 
channel  VHF  receiver  as  shown  in 
Figure  2-12. 


Figure  2-12.  Five  Channel  Receiver 
with  Two  Failures  Allowed 


As  long  as  three  channels  are  opera¬ 
tional,  the  system  is  classified  as 
satisfactory.  Each  channel  has  a  prob¬ 
ability  of  .9  of  surviving  a  24-hour 
operation  period  without  failure.  Thus 
two  channel  failures  are  allowed. 
What  is  the  probability  that  the  re¬ 
ceiver  will  survive  a  24-hour  mission 
without  loss  of  more  than  two  chan¬ 
nels? 

Let  n  =  5  =  number  of  channels 

r  =  2  =  number  of  allowable 
channel  failures 

p  =  .9  =  probaoility  of  individual 
channel  success 

q  =  .1  =  probability  of  individual 
channel  failure 

x  =  number  of  successful  channels 
and  P(S)  =  probability  of  system 
success 


Then 
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1  -vSi 

x=3  x  !(n-x) ! 


pV 


-X 


Values  of  the  binomial  coefficient, 


x  !(n-x) ! 


=  .99144 


are  shown  in  Table  2-1  to  values  of  n  and  x 
up  to  20.  For  values  beyond  the  table,  it  is 
often  practical  to  resort  to  simple  arithmetic 
as  in  the  case  of  the  third  coefficient  in  the 
first  example  above,  where  n  =  30,  x  =  2: 


This  is  the  probability  that  three 
or  more  of  the  five  channels  will  sur¬ 
vive  the  24-hour  operating  period. 

The  problem  can  be  solved  another 
way,  by  subtracting  the  probability  of 
three  or  more  failures  from  one,  e.g.: 


P(S)  -  1  -  P(F) 


i! 


1'x  =  (r+l)  x,(n-x)1 


q»p-« 


5! 

5!0! 


(.1)5( 


.9)°] 


=  1  -  [.00856]  =  .99144  as  before 


Note  the  change  in  notation  (only) 
that  x  now  represents  the  number  of 
failures  and  q*  is  the  probability  of  x 
failures  whereas  before  x  represented 
the  number  of  successes  and  px  was 
the  probability  of  x  successes. 

Computations  involving  the  binomial 
distribution  become  rather  unwieldy  for  even 
small  sample  sizes;  however,  complete 
tables  of  the  binomial  pdf  and  cdf  are  avail¬ 
able  in  many  statistics  texts. 


-  _30]_  .  28!(29)(30)  _  29-30 
*/  2!28!  2!28!  2 

=  435 


2.2.2  The  Poisson  Distribution 

The  probability  distribution  function 
of  the  Poisson  is 

f(x)  ,  x  >  0  (2-14) 

x ! 

where  m  =  np 

x  =  the  number  of  failures  (or 
successes,  according  to  the 
problem  statement) 

The  parameter  m  is  the  expected  or  average 
number  of  failures  (or  successes)  in  n  trials. 
The  variance  is  also  equal  to  m.  The  cum¬ 
ulative  Poisson  distribution  function  is 

F(X)  =  |  e^mi  (2-15) 

x  =  0  x! 

When  n,  the  sample  size  or  number  of 
observations,  becomes  large,  and  p,  the 
probability  of  failure,  is  very  small,  the  bi¬ 
nomial  distribution  can  be  closely  approxi¬ 
mated  by  Poisson’s  limit. 

EXAMPLE:  The  first  example  given 
for  the  binomial  distribution  can  be 
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*For  complete  tables,  see  National  Bureau  of  Standards, 
Tables  of  the  Binomial  Probability  Distribution,  GPO  1949 
(Applied  Msthematics  Series  6) 


NAVWEPS  00-65-502 


solved  using  the  Poisson  approxima¬ 
tion.  Here  m  «  np  =  3(K.05)  =  1.5. 


P(a) 


e^V 

i! 


EXAMPLE:  Assume  a  partially  re¬ 
dundant  system  of  ten  elements.  An 
average  of  X  failures  per  hour  can  be 
expected  if  each  failure  is  instantly 
repaired  or  replaced.  Find  the  prob¬ 
ability  that  x  failures  will  occur  if 
the  system  is  put  in  operation  for  t 
hours  and  each  failure  is  repaired  as 
it  occurs. 

If  X  is  the  average  number  of  fail¬ 
ures  per  element  for  one  hour,  then 
m  =  Xt  is  the  average  number  of  ele¬ 
ment  failures  for  t  hours.  Hence, 


The  true  probability  given  by  the 
binomial  is  0.812,  hence  the  Poisson 
approximation  is  reasonably  close. 
Thus  for  large  n  and  small  p,  the 
Poisson  can  be  used  to  approximate 
binomial  probabilities. 

For  the  binomial  we  had  a  sample  of  a 
definite  size  and  could  count  the  number  of 
times  an  event  occurred  and  also  the  num¬ 
ber  of  times  it  did  not  occur.  There  are 
many  situations  in  which  the  number  of 
times  an  event  did  not  occur  are  meaningless. 
For  example,  the  number  of  defects  in  a  sheet 
of  steel  can  be  counted,  but  we  cannot 
count  the  number  of  non-defectives.  Sim¬ 
ilarly,  for  a  fixed  time  period  we  can  count 
the  number  of  telephone  calls  made,  but  the 
number  of  telephone  calls  not  made  has  no 
meaning. 

If  m,  the  expected  number  of  events 
in  a  given  interval  of  time,  is  constant,  and 
if  the  number  of  events  produced  in  any  sub¬ 
interval  is  independent  of  the  number  of 
events  produced  in  any  other  time  interval, 
then  the  probability  of  x  events  for  the  in¬ 
terval  is  a  Poisson  distribution  given  by 
Equation  (2-14).  The  Poisson  frequency 
distribution  then  predicts  the  number  of 
failures  in  a  given  time  interval,  if  time  ef¬ 
fect  is  negligible. 


«ri  .  x  >  o 

X! 

With  n  of  these  elements  in  the  sys¬ 
tem,  the  average  number  of  failures  in 
t  hours  would  be  nXt,  and 

Ki) .  e-A  W 

x! 

If  X  =  0.001  per  hour,  t  =  50  hours,  for 
n  =  10,  then 

m  =  nXt  =  10(. 001)50  =  0.5 

x! 

f(x  =  0)  =  .607 
fix=l)  =  .303 
fix  =  2)  =  .076 

etc.,  as  shown  in  Figure  2-13. 

By  cumulatively  adding  the  prob¬ 
abilities  of  consecutive  values  of  x,  e.g., 
0,  0+1,  0+1+2,  the  cumulative  probability 
function  can  be  generated.  This  function 
is  shown  in  Figure  2-14  for  x  =  0,  1,  2,  3. 
Mathematically  it  is  represented  by  Equation 
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NUMBER  OF  FAILURES  (X) 


Figure  2*13.  Poisson  Probability 
Function  for  m=0.5 


Figure  2*14.  Cumulative  Poisson 
Probability  Distribution  Function 
for  m=0.5 


(2-15),  where  m  is  the  Poisson  parameter 
which,  for  the  example  given,  is  equal  to 
nAt  and  represents  both  the  mean  and  the 
variance. 


The  system  then  has  a  probability  of 
.607  of  surviving  the  50-hour  mission  with 
no  element  failures;  a  probability  of  .91  (the 
sum  of  P(0)  and  P(l))  of  surviving  with  no 
more  than  one  element  failure.  There  is  a 
9%  chance  that  two  or  more  failures  will 
occur  during  the  mission  period.  If  the  sys¬ 
tem  will  perform  satisfactorily  with  nine 
elements,  and  if  further  we  are  permitted 
one  on-line  repair  action  during  the  mission 
(to  repair  a  second  failure)  then  system  re¬ 
liability  with  one  repair  during  the  mission 
is  .986  (assuming  instantaneous  repair  or 
replacement  capability).  This  illustrates 
the  advantage  of  on-line  repairs,  to  permit 


failure  occurrence  without  sacrificing  re¬ 
liability. 

Chart  2-II  is  a  Poisson  cumulative 
probability  graph  for  values  of  m  ranging 
from  0.1  to  30,  useful  for  graphical  solu¬ 
tion  of  the  Poisson  equation.  In  the  above 
case,  for  example,  enter  the  chart  at  m  =  .5 
and  go  vertically  to  the  curve  r  =  0.  The 
ordinate  corresponding  to  this  point  is  ap¬ 
proximately  0.6— the  probability  of  zero  fail¬ 
ures  in  the  50-hour  mission.  Proceeding  to 
the  r  =  1  curve,  again  at  m  =  .5, the  probability 
of  surviving  a  50-hour  mission  with  one  or 
less  (no  more  than  one)  failure  is  approxi¬ 
mately  0.91  as  was  derived  before.  To  find 
the  probability  of  two  or  more  failures,  merely 
subtract  the  probability  of  one  or  less 
from  unity,  e.g.: 

P(r  >  2)  =  1  -  P(r  <  1) 

=  1  -  0.91  =  0.09  =  9% 
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EXAMPLE:  What  is  the  probability 

of  finding  three  or  more  defective 
transistors  in  a  sample  of  n  =  100 
whose  percent  defective  p  =  5%  =  .05? 

Enter  chart  at  m  =  np  =  (100)(.05)  =  5. 

Go  vertically  to  r  =  2. 

Read  0.125  as  the  probability  of  2  or 
less. 

Then  the  probability  of  3  or  more 
=  1  -  0.125  =  0.875 

EXAMPLE :  What  is  the  probability 
of  a  10-hour  mission  without  failure 
in  a  system  whose  mean  life  is  known 
to  be  50  hours? 

n  =  1  system 

A  =  1  failure  per  50  hours 
=  .02  failures  per  hour 

t  =  10  hours 

m  =  nAt  =  (1)(.02)(10)  =  .2 
r  =  0  =  allowable  failures 
Enter  chart  at  m  =  .2. 

Go  vertically  to  r  =  0. 

Read  0.82  on  left-hand  scale. 

This  is  the  reliability  of  the  system 
for  a  10-hour  mission. 


Probability  of  at  least  8  operational 
systems  for  the  full  10-hour  mission 
is  then  0.67.  This  can  be  interpreted 
as  a  level  of  confidence  on  the  esti¬ 
mated  reliability,  i.e.,  67%  confidence 
that  at  least  80%  operational  reliability 
will  be  realized. 

As  another  application  of  the 
Poisson  Chart,  determine  the  number 
of  aircraft  that  should  be  dispatched 
to  assure  with  90%  confidence  that  at 
least  10  will  remain  on  patrol  for  the 
10-hour  period.  From  the  previous 
example,  n  is  unknown  and  r  is  un¬ 
known.  But  n  =  m/At  =  5m,  for  At  =  .2 
as  before.  Then  n  -  r  =  5m  -  r  =  10  at 
90%  confidence  will  satisfy  the  re¬ 
quirement.  From  the  Chart,  m  =  3  and 
c  =  5  is  the  combination  that  satisfies 
the  90%  probability  ordinate.  Thus, 
15  aircraft  should  be  dispatched  to  be 
90%  confident  that  10  will  remain  on 
patrol  throughout  a  10-hour  mission. 

Confidence  limits  and  levels  are  dis¬ 
cussed  in  more  detail  in  2.3. 


2.2.3  The  Normal  Distribution 

The  normal  distribution  has  the  prob¬ 
ability  density  function  shown  by  the  follow¬ 
ing  equation: 


EXAMPLE:  If  10  aircraft  take  off  for 
ASW  service,  each  with  the  system 
described  above,  what  is  the  prob¬ 
ability  that  at  least  8  will  complete 
the  10-hour  mission  without  failure? 

m  =  nAt  =  2  failures  expected 
r  =  2  or  less 


(x-u)2 

’77“ 


for  values  of  x  between  -«  and  +<» 
(-00  <  X  <  oo)  (2-16) 

The  formula  shows  that  the  two  para¬ 
meters  of  the  normal  distribution  are  the 
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mean,  and  the  standard  deviation,  a. 
Figure  2-15  shows  the  normal  curve.  The 
ordinate  of  the  probability  density  function 
(pdf)  indicates  the  relative  probabilities  of 
various  values  occurring. 


*z) 


Figure  2-15.  Probability  Density  Function 
of  the  Normal  Distribution 


HZ) 


Figure  2-16.  Cumulative  Distribution  Function 
of  the  Normal  Distribution 


Z2 


The  area  under  a  density  curve  be¬ 
tween  two  points,  a  and  b,  is  equal  to  the 
probability  that  a  value  will  occur  between 
a  and  b.  To  find  this  probability  it  is  neces¬ 
sary  to  integrate  the  pdf  between  a  and  b. 
That,  for  the  normal  distribution,  is: 


P[a  <  x  < 


(x-4)2 
2<t  dx 


Tables  of  the  cumulative  normal  dis¬ 
tribution,  shown  in  Figure  2-16,  have  been 
tabulated  in  Table  2-11  for  a  distribution 
with  mean  0  and  variance  1.  This  is  called 
the  standard  or  normalized  form  and  is  ob¬ 
tained  by  transforming  the  original  values 
of  x  into  a  new  variate  Z  where 


Z  = 


X  - 


The  density  function  of  Z  is 


The  table  therefore  gives 
F(Z)  =  f  Z  f(Z)dZi/ 

J  -oo 

For  a  known  mean  and  variance  of  the 
variable  x,  various  probabilities  can  be 
found  by  computing  Z  =  (x  -  (i)/o  and  refer¬ 
ring  to  the  table  of  areas. 

EXAMPLE:  Assume  g  =  100  and  a  =  5. 
Find  the  probability  that  a  value  will 
occur  between  95  and  110  as  shown  in 
Figure  2-17. 

Let  Zx  —95.-  100  , 

5 


-^Other  limits  often  given  are  f  g,  ,  and  f‘ Be¬ 
cause  of  the  symmetry  of  the  normal  distribution,  it 
is  easy  to  use  any  set  of  tables  to  find  particular 
probabilities. 
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TABLE  2-11  CUMULATIVE  NORMAL  DISTRIBUTION 


z 

.000 

.01 

.02 

.03 

.04 

.05 

.06 

.07 

.08 

.09 

.0 

.5000 

.5040 

.5080 

.5120 

.5160 

.5199 

.5239 

.5279 

.5319 

.5359 

.1 

.5398 

.5438 

.5478 

.5517 

.5557 

.5596 

.5336 

.5675 

.5714 

.5753 

2 

.5793 

.5832 

.5871 

.5910 

.5948 

.5987 

.6026 

.6064 

.6103 

.6141 

.3 

.6179 

.6217 

.6255 

.6293 

.6331 

.6368 

.6406 

.6443 

.6480 

.6517 

.4 

.6554 

.6591 

.6628 

.6664 

.6700 

.6736 

.6772 

.6808 

.6844 

.6879 

.5 

.6915 

.6950 

.6985 

.7019 

.7054 

.7088 

.7123 

.7157 

.7190 

.7224 

.6 

.7257 

.7291 

.7324 

.7357 

.7389 

.7422 

.7454 

.7486 

.7517 

.7549 

.7 

.7580 

.7611 

.7642 

.7673 

.7704 

.7734 

.7764 

.7794 

.7823 

.7852 

.8 

.7881 

.7910 

.7939 

.7967 

.7995 

.8023 

.8051 

.8078 

.8106 

.8133 

.8159 

.8186 

.8212 

.8238 

.8264 

.8289 

.8315 

.8340 

.8365 

.8389 

.8413 

.8438 

.8461 

.8485 

.8508 

.8531 

.8554 

.8577 

.8599 

.8621 

.8643 

.8665 

.8686 

.8708 

.8729 

.8749 

.8770 

.8790 

.8810 

.8830 

.8849 

.8869 

.8888 

.8907 

.8925 

.8944 

.8962 

.8980 

.8997 

.9015 

.9032 

.9049 

.9066 

.9082 

.9099 

.9115 

.9131 

.9147 

.9162 

.9177 

.9192 

.9207 

.9222 

.9236 

.9251 

.9265 

.9279 

.9292 

.9206 

.9319 

1.5 

.9332 

.9345 

.9357 

.9370 

.9382 

.9394 

.9406 

.9418 

.9429 

.9441 

1.6 

.9452 

.9463 

.9474 

.9484 

.9495 

.9505 

.9515 

.9525 

.9535 

.9545 

1.7 

.9554 

.9564 

.9573 

.9582 

.9591 

.9599 

.9608 

.9616 

.9625 

.9633 

1.8 

.9641 

.9649 

.9656 

.9664 

.9671 

.9678 

.9686 

.9693 

.9699 

.9706 

1.9 

.9713 

.9719 

.9726 

.9732 

.9738 

.9744 

.9750 

.9756 

.9761 

.9767 

2.0 

.9772 

.9778 

.9783 

.9788 

.9793 

.9798 

.9803 

.9808 

.9812 

.9817 

2.1 

.9821 

.9826 

.9830 

.9834 

.9838 

.9842 

.9846 

.9850 

.9854 

.9857 

2  2 

.9861 

.9864 

.9868 

.9871 

.9875 

.9878 

.9881 

.9884 

.9887 

.9890 

2.3 

.9893 

.9896 

.9898 

.9901 

.9904 

.9906 

.9909 

.9911 

.9913 

.9916 

2.4 

.9918 

.9920 

.9922 

.9925 

.9927 

.9929 

.9931 

.9932 

.9934 

.9936 

2.5 

.9938 

.9940 

.9941 

.9943 

.9945 

.9946 

.9948 

.9949 

.9951 

.9952 

2.6 

.9953 

.9955 

.9956 

.9957 

.9959 

.9960 

.9961 

.9962 

.9963 

.9964 

2.7 

.9965 

.9966 

.9967 

.9968 

.9969 

.9970 

.9971 

.9972 

.9973 

.9974 

2.8 

.9974 

.9975 

.9976 

.9977 

.9977 

.9978 

.9979 

.9979 

.9980 

.9981 

2.9 

.9981 

.9982 

.9982 

.9983 

.9984 

.9984 

.9985 

.9985 

.9986 

.9986 

3.0 

.9987 

.9987 

.9987 

.9988 

.9988 

.9989 

.9989 

.9989 

.9990 

.9990 

3.1 

.9990 

.9991 

.9991 

.9991 

.9992 

.9992 

.9992 

.9992 

.9993 

.9993 

3.2 

.9993 

.9993 

.9994 

.9994 

.9994 

.9994 

.9994 

.9995 

.9995 

.9995 

3.3 

.9995 

.9995 

.9995 

.9996 

.9996 

.9996 

.9996 

.9996 

.9996 

.9997 

3.4 

.9997 

.9997 

.9997 

.9997 

.9997 

.9997 

.9997 

.9997 

.9997 

.9998 

F(Z) 


■I! 


J2tr 


,  -Z  /2 


dz 
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Figure  2-17.  Probability  of  a  Value  between  Two  Points  under  the  Normal 


V  110-100  o 

Z2 - 5 

Then 

P[95  <  x  <  100]  -  P[-l  <  Z  <  2] 

=  F(2)  -  F(-l) . 

From  Table  2-II, 

F(2)  =  0.977,  and 
F(-l)  =  0.159; 

hence  Pt-1  <  Z  <  2]  =  0.977  -  0.159 
=  0.818 

In  reliability  engineering,  the  normal 
distribution  is  frequently  found  to  adequately 
represent  the  failure  time  distribution  of 
items  whose  failure  modes  are  a  result  of 
wearout.  The  failure  rate  of  a  normally  dis¬ 
tributed  time-to-failure  variable  is  an  in¬ 
creasing  function  of  the  age  of  the  product, 
which  is  consistent  with  a  wearout  process. 

It  must  be  pointed  out  that  the  normal 
distribution  implies  that  the  variable  can 
theoretically  take  on  values  anywhere  be¬ 


tween  plus  and  minus  infinity.  In  reliability 
work  where  the  variable  is  time-to-failure, 
values  less  than  zero  cannot  occur.  The  use 
of  the  normal  distribution  rests  upon  its 
ability  to  describe  the  observed  phenomena. 
Normal  assumptions  appear  valid  for  those 
cases  described  below. 

(a)  Probability  of  failure,  before  time 

zero,  is  small. 

The  table  of  the  cumulative  standard 
normal  shows  that  the  probability  of  a  value 
less  than  three  standard  deviations  below 
the  mean  is  negligibly  small— approximately 
.001  compared  to  the  total  area  under  the 
curve,  which  is  equal  to  one.  If  \l  is  greater 
than  3a,  then  the  theoretical  probability  of  a 
value  falling  below  zero  is  small  enough  to 
ignore. 

(b)  Truncated  normal. 

The  truncated  normal  distribution  may 
be  appropriate.  By  truncation  of  a  distribu¬ 
tion  is  meant  that  a  portion  of  the  curve  is 
deleted  and  its  area  is  distributed  over  the 
remaining  portion.  In  this  particular  case, 
it  is  assumed  that  population  values  less 


A2-25 


NAVWEPS  00-65-502 


-  RBJABNJTY 


Figure  2-18.  Reliability  Function  =  One  Minus  F(Z),  the  Failure 

Density  Function 


than  zero  are  impossible  and  the  probability 
area  represented  by  these  values  is  to  be 
distributed  over  the  range  0  to  «. 

EXAMPLE:  Assume  an  item  whose 
mean  life  and  standard  deviation  is 
estimated  to  be  300  hours  and  40 
hours,  respectively.  If  its  mission 
length  (or  time  before  maintenance  or 
replacement)  is  250  hours,  the  prob¬ 
ability  that  the  item  will  complete  its 
mission  is 

R(250)  =  1  -  F(250) 


I  -oo  40V  2»r 


(x-300)2 

2(40)2 


By  letting 
„  x-300 


the  upper  limit  of  x  »  250  becomes 
250-300 
40  “ 
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and 


R(Z)  =  1 


r-l.25  J_ 
J'00  yj2n 


dz 


=  1-0.106 


=  0.894 


A  probability  distribution  function  for 
this  example  is  shown  in  Figure  2-18. 


2.3  THE  EXPONENTIAL  DISTRIBUTION 


The  exponential  density  is  a  direct 
consequence  of  the  assumption  that  the 
probability  of  failure  in  a  given  time  interval 
is  directly  proportional  to  the  length  of  the 
interval  and  is  independent  of  the  age  of 
the  product.  The  exponential  density  de¬ 
rived  from  this  basic  assumption  has  the 
form 

_ t_ 

f(t)  =-Le  9  (2-17) 

e 

where  0  =  mean  life  and  t  is  the  time  period 
of  interest.  The  reliability  at  time  t  is 

_  JL  t 

R(t)  =  (“±e  0dt  =  e  6  (2-18) 

Jt  8 

Figure  2-19  shows  the  exponential 
reliability  function  where  time  is  given  in 
units  of  6. 

Mean  life  is  the  arithmetic  average  of 
the  lifetimes  of  all  items  considered.  A 
lifetime  may  consist  of  time-between- 
malfunctions,  time-between-repairs,  time-to- 
removal-of-parts,  etc.  Mean  life  for  the  ex¬ 
ponential  distribution  is  MTBF  =  0. 

The  property  of  the  exporential  implies 
two  significant  failure  characteristics.  First, 
individual  failures  occur  in  a  random  or 
unpredictable  manner.  Second,  the  failure 
rate  or  hazard  rate  is  constant,  which 
implies  that  deterioration  is  not  a  failure 
cause. 


m  -  • 


TIME  M  UNITS  OF  MEAN  UFE  -  t/e 

Figure  2-19.  The  Exponential  Reliability 
Function 

The  constant  failure  rate  per  h  hours 
can  be  shown  to  equal  h 

l-e~  0 

and,  similarly,  the  failure  rate  per  hour  is 
_  JL 
1  -e  9 

When  6  is  large  relative  to  h,  the  failure  rate 
per  h  hours  is  usually  approximated  by  h/0. 

The  instantaneous  failure  rate,  A, 
equals  1/0  and  is  usually  used  as  the  con¬ 
stant  exponential  failure  rate.  Thus 

R(t)  =  e-*  (2-19) 

If  an  item  has  a  constant  failure  rate, 
the  reliability  at  its  mean  life,  0,  is  0.368. 
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In  other  words,  the  mean  life  will  occur  at 
the  point  where  there  is  36.8%  probability 
of  survival.  This  follows  from 


The  Poisson  density  of  number  of 
failures,  x,  is 


Q 

R(0)  =  e  9 


=  0.368 


This  is  shown  in  Figure  2-19.  Thus  there 
is  a  36.8%  probability  that  a  system  will 
survive  to  its  mean  life,  without  failure. 

Mean  life  and  failure  rates  are  related 
by  the  following  equations: 


(2-20) 

(2-21) 


2.3.1  Relationship  of  the  Exponential 

to  the  Poisson 

The  exponential  and  the  Poisson  dis¬ 
tributions  are  equivalent  except  for  the 
choice  of  the  random  variable.  For  the  ex¬ 
ponential,  the  random  variable  is  the  time- 
to-failure;  for  the  Poisson,  it  is  the  number 
of  failures  per  given  time  period  where 
failure  times  are  exponentially  distributed. 
The  exponential  variable  is  continuous;  the 
Poisson  variable  is  discrete. 


Letting  m  =  At,  the  expected  number  of  fail¬ 
ures  over  the  interval  (0, t)  in  a  replacement 
situation,  the  density  becomes 

f(X)  =  e:Xt(At)i 

x! 

The  probability  of  zero  failures  in  the  in¬ 
terval  (0,  t)  is  therefore 

f(0)  =  e*At 

which  is  the  exponential  reliability  function. 


2.3.2  The  Exponential  Function 

as  a  Failure  Model 

The  mechanism  underlying  the  ex¬ 
ponential  reliability  function  is  that  of  ran¬ 
dom  or  chance  failures  which  are  independent 
of  accumulated  life  and  consequently  are 
individually  unpredictable.  The  use  of  this 
type  of  "failure  law”  for  complex  systems 
is  usually  justified  by  the  fact  that  many 
forces  can  act  upon  the  system  and  produce 
failure.  Varying  deterioration  mechanisms, 
different  part  failure  rates,  varying  envir¬ 
onmental  conditions,  and  so  on,  result  in 
stress-strength  combinations  that  produce 
failures  randomly  in  time. 
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FAILURE  RATE 


OPERATING  LIFE 


Figure  2-20.  Typical  Failure-Rate  Curve 


A  typical  failure-rate  curve  is  shown 
in  Figure  2-20.  If  a  life  characteristic  can 
be  represented  by  this  type  of  curve,  then 
for  some  time  period— say,  (0,T) — the  failure 
rate  is  approximately  constant;  that  is, 
failures  in  this  period  can  be  classified  as 
random  occurrences.  After  time  T,  wearout 
effects  become  apparent  with  increasing 
frequency,  so  that  the  probability  *of  failure 
increases.  Infant  mortality,  represented  by 
a  decreasing  failure  rate  in  early  life,  is 
usually  detected  during  system  debugging, 
and  therefore  should  not  remain  as  a  con¬ 
tinuing  problem  after  the  system  gets  into 
the  Fleet. 


life,  t/0.  Tables  of  the  Exponential  Func¬ 
tion  are  available  from  the  Department  of 
Commerce.  V 


e‘x  may  also  be  derived  from  the  series 
expansion: 


-x 


=  1  - 


EXAMPLE: 


=  1  3+J£L  .027  ,  .0081 

2  6  24 


Chart  2-III  presents  normalized  func¬ 
tions  for  both  R(x)  and  U(x)  =  1  -  R(x),  with 
x  expressed  in  terms  of  proportion  of  mean 


=  1  -  .3  +  .045  -  .0045  +  .0003 


=  .7408 


2/ 

-  Tables  of  Exponential  Function,  National  Bureau  of 
Standards  Applied  Mathematics  Series  No.  14. 
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APPENDIX  3.  RELIABILITY  ESTIMATION 


During  the  course  of  system  develop¬ 
ment,  evaluation,  and  Fleet  use,  many  op¬ 
portunities— both  planned  and  unplanned— 
become  available  for  the.  estimation  of  re¬ 
liability  on  the  basis  of  data  generated  in 
system  testing  and  operational  use.  Other 
sections  of  the  appendix  describe  procedures 


for  test  design  and  data  reporting.  This 
appendix  describes  the  most  commonly  used 
procedures  for  analyzing  and  presenting 
such  data  for  practical  application  by  man¬ 
agement  and  engineering  in  system  improve¬ 
ment. 


3.1  ESTIMATION  OF  MEAN  LIFE  AND  FAILURE  RATE 
IN  THE  EXPONENTIAL  CASE 


The  mean  life  of  an  equipment  whose 
failure  times  have  the  exponential  distribu¬ 
tion  is  approximately 

0  ,  Total  Operating  Time,  T(t) 

Number  of  Observed  Failures 

=  I(t)  (3.j) 

r 

A 

where  6  denotes  estimated  mean  life. 

Since  the  hazard  or  instantaneous  failure 
rate  is  equal  to  the  reciprocal  of  mean  life, 
all  estimates  of  8  can  be  used  to  estimate  A. 

Total  operating  time  is  defined  to  be 
the  total  number  of  operating  hours  accumu¬ 
lated  before  the  test  is  terminated,  or  the 
total  test  time  in  a  test  to  failure  of  several 
items.  For  example,  if  a  test  of  n  items 
was  run  for  T  hours  and  failed  items  were 
not  replaced, 

T(t)  -  £  +  (n-r)T  (3-2) 

i  - 1  * 

where  t.  is  the  time  of  the  i**1  failure 

and  T  is  length  of  test  in  hours. 

If  c  items  were  censored  before  T 
(removed  before  failure,  accidentally  broken, 


etc.)  and  were  not  replaced  in  the  test,  then 

T(t)  =  £  t.  +  i  t.  +  (n-  r-c)T  (3-3) 
i  = 1  j  =1  J 

where  t-  is  the  time  the  j1*1  censorship 
took  place. 

EXAMPLE:  Ten  traveling  wave  tubes 
were  placed  on  reliability  demonstra¬ 
tion  test.  The  test  was  terminated 
with  the  fifth  failure.  One  tube  had 
been  removed  from  the  test  because  of 
accidental  damage  after  100  hours  of 
operation.  Total  accrued  test  time 
was  then 


Time  to  1st  failure 

10  hours 

Time  to  2nd  failure 

70  hours 

Time  to  3rd  failure 

120  hours 

Time  to  4th  failure 

210  hours 

Time  to  5th  failure 

300  hours 

Time  to  censorship 
(damaged  tube) 

100  hours 

Time  to  censorship 
(remaining  4  tubes) 

1,200  hours 

Total  Operating 
Time 

2,010  hours 
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Mean  Life  -  9 

=  Total  Operating  Time 
Number  of  Failures 

_  2,010  hours 
5 

=  402  hours 

Failure  Rate  -  l/d  =  1/402 
-  2,480  x  10 * 
failures  per  hour. 

EXAMPLE:  An  airborne  system  has 
been  out  on  20  successive  3-hour  mis¬ 
sions.  In  five  instances  the  system 
failed  during  a  mission.  Times  to 
failure  were  recorded  to  the  nearest 
half-hour  as: 


Failure  »\ 
Failure  #2 
F  ailure  #3 
Failure  #4 
Failure  #5 


1.5  hours 
.5  hours 

2.5  hours 
1.0  hours 
2.0  hours 


Total  Time  to  Failure  7.5  hours 

Total  Successful  Time 
=  3  x  15  =  45.0  hours 

Total  “Up”  Time  52.5  hours 


Mean  Life, 

0  =  52.5  hours 

3 


10.5  hours 


System  failure  rate  =  1/10.5  =  one 
failure  per  10.5  hours  or  .095  failures 
per  hour,  usually  expressed  as  95 
failures  per  thousand  hours  or95  x  10'3 
failures  per  hours. 

Reliability  Nomograph 

A  reliability  nomograph-/  is  shown  in 
Chart  3-1.  The  nomograph  relates  reliability 
to  operating  time  and  failure  rates  or  mean 
life  for  the  exponential  case. 

EXAMPLE:  Mean  time  to  failure  of  an 
airborne  fire  control  system  is  10 
hours.  What  is  the  probability  that 
the  system  will  satisfactorily  perform 
throughout  a  3-hour  mission?  Connect 
6  *  10  to  t  =  3  hours  with  a  straight 
edge  and  read  R  =  .75  for  an  estimate 
of  reliability  for  the  3-hour  mission. 
This  is  the  graphical  solution  to  the 
equation 

A 

R(3  hours)  =  emt/0  =  e'-3  =  .7408 


3.2  VERIFICATION  OF  VALIDITY  OF  THE  EXPONENTIAL  ASSUMPTION 


The  exponential  function  is  generally 
valid  for  complex  systems  and  most  parts. 
However,  if  failure  rate  data  do  not  support 
the  exponential  assumption,  or  if  failures  do 
not  occur  randomly  in  time  and  wear  out  be¬ 
comes  an  important  factor,  then  the  expon¬ 
ential  assumption  is  no  longer  valid. 

A  graphical  procedure  is  useful  for  a 
quick  indication  of  the  validity  of  the  ex¬ 
ponential  assumption  provided  that  the 


number  of  observed  failures  is  relatively 
large.  The  procedure  is  to  plot  the  cum¬ 
ulative  test  or  operating  time  against  the 
cumulative  number  of  failures  r,  as  shown  in 
Figure  3-1. 


—/Reprinted  with  permission  from  Reliability  fTata 
Sheet  »1,  Curtiss  Division  of  Cnrtiss-Wright  Cor¬ 
poration,  Caldwell,  New  Jersey. 
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CHART  3-1.  RELIABILITY  NOMOGRAPH 
FOR  THE  EXPONENTIAL  FAILURE  DISTRIBUTION 
(Multiply  “R”  values  by  100  for  %  survival) 


Mean  Time 

Hourly 

Between 

Failure 

Failure 

Rate 

(Hours) 

. 

Reliability 

e 

A 

R 

10,000  — 

—  .0001 

—  .999999 

5,000  - 

- 

7  .999995 

- 

— 

.99999 

- 

7  .0005 

7  99995 

1,000  — 

^  .001 

i-  .9999 

500  - 

- 

7  .9995 

- 

— 

.999 

- 

-  .005 

- 

I 

7  .995 

100  — 

01  | 

.99 

50  i 

- 

7  .95 

- 

“ 

—  .90 

- 

7  05 

- 

10  — 

^-.1 

r  5 

5  - 

—  .1 

- 

I  < 

J  R  t 

— 

7  -5 

“ 

- 

1_ 

^-1.0 

- 

j1 

Given  equipment  mean  time  to  failure  or  hourly 
failure  rate  and  operating  time,  solve  for 
reliability.  Connect  "0”  and  “t"  values  with 
straight  line.  Read  "R". 
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CUMULATIVE 
MUMS  W 


CUMULATIVE  OfGRATMG  TIME  T(t) 

Figure  3-1.  Plot  of  Time  versus  Failures 


Figure  3-2  shows  a  further  refinement 
on  the  graphical  procedure.  Here  cumulative 
time  at  each  failure  is  plotted  against  the 
quantity. 

" u  Grrn)  •  <3-*> 

where  n  is  the  number  of  items  at  the  start 
of  a  non-replacement  test,  or  the  number  of 
original  items  plus  replacements  in  a  re¬ 
placement  test,  and  times  are  recorded  as 
time  between  failure.  The  method  is  appli¬ 
cable  to  system  studies,  where  n  now  becomes 
the  number  of  operating  periods  between 
failures. 


The  figures  show  three  cases: 

CASE  A— Exponential  assumption 
is  valid. 

CASE  B— Exponential  valid  over 
prescribed  time  period. 
Change  in  slope  may  be 
due  to  change  in  use  con¬ 
ditions  or  maintenance  pro¬ 
cedures. 

CASE  C— Exponential  valid  over  pre¬ 
scribed  time  period. 
Change  in  slope  indi¬ 
cates  debugging  or  user 
training  period  in  early 
life. 
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Figure  3-2.  Plot  of  Time  versus 


An  Analytical  Method 

This  is  the  best  test  to  use  for  testing 
the  hypothesis  of  an  exponential  distribution 
versus  the  alternative  that  the  failure  rate  is 
not  constant.  Compute  the  value  of  k 


k  =  -2  X 

i=l 


(3-5) 


where  T(ti)  =  total  operating  time  at 
the  i1*1  failure,  T(t)  =  total  operating 
time  at  conclusion  of  test,  r  =  total 
number  of  failures. 


tables  of  the  Chi-square  distribution. 
Alpha  (a)  represents  the  risk  of  rejecting  a 
true  hypothesis  (Type  1  error)  which,  for  this 
test,  is  equivalent  to  concluding  that  the 
failure  rate  is  not  constant  when  in  fact  it  is. 
For  a  fixed  sample  size,  the  lower  the 
specification  on  a,  the  greater  the  chance  of 
accepting  a  false  hypothesis  (Type  11  error) 
by  concluding  that  the  failure  rate  is  con¬ 
stant  when  in  fact  it  is  not.  The  usual  range 
of  a  is  from  0.01  to  0.10  depending  on  the 
consequences  of  making  a  Type  I  error  for 
the  particular  situation.  2r  is  the  number  of 
degrees  of  freedom  (r  is  the  number  of 


k  is  a  variate  with  2r  degrees  of  freedom. 
The  two  critical  values  of  are  f°un<l  in 


2/ 

-  See  Appendix  2. 
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failures)  and  is  used  for  entering  the^  table. 

If  k  lies  between  the  two  values  of  Chi- 
square,  i.e., 

(X2a/2,2r  <k<  X2  l-a/2, 2  J 

then  the  hypothesis  of  the  exponential  pdf 
is  accepted. 

EXAMPLE:  Assume  20  items  were  life 
tested  (non-replacement)  for  100 
hours.  A  total  of  9  failures  occurred 
at  10,  17,  17,  25,  31,  46,  52,  65,  and 
79  hours.  To  test  whether  the  expon¬ 
ential  assumption  is  valid,  compute 


k  =  -2  I  log 


lO; 


20  x  10 
1442 


+  log. 


+  loge 


10  +  19  x  17  + 
1442 


263  +  12  x  79 


1442 


=  -2 


j^8.552j 


=  17.104 

For  a  =  0.05  (95%  confidence  level), 
X20.025,  18  =  8‘23; 

X20.975,  18  =  31,5 

Since  k  falls  between  the  two  critical 
limits,  the  assumption  of  an  expon¬ 
ential  distribution  is  valid. 

If  it  is  desired  to  test  against  the  al¬ 
ternative  hypothesis  that  the  failure  rate  is 
increasing,  then  only  the  lower  critical  limit, 
J2 

X  a,2t< 

is  used.  Similarly,  only  the  upper  critical 
limit,  « 

X  1  -  a,  2r’ 

is  used  if  the  alternative  hypothesis  is  that 
the  failure  rate  is  decreasing. 


3.3  ESTIMATION  OF  CONFIDENCE  LIMITS 
ON  EXPONENTIAL  MEAN  LIFE,  FAILURE  RATE,  AND  RELIABILITY 


The  mean  life  of  an  item  is  estimated 
from  sample  operating  periods  and  failure 
data.  Therefore  allowances  must  be  made 
for  sampling  fluctuations.  Since  it  is  quite 
unlikely  that  any  two  “samples”  drawn  from 
the  same  population  will  produce  the  same 
results,  an  interval  is  computed  for  which 
there  is  a  high  degree  of  confidence  that  it 
will  contain  the  true  population  value.  If  we 
compute  a  95%  confidence  interval,  it  means 
there  is  a  probability  of  0.95  that  the  interval 
will  contain  the  true  parameter  value. 

The  limits  associated  with  the  confi¬ 
dence  interval  are  called  confidence  limits 
(C.L.),  and  the  measure  of  confidence  is  the 


confidence  level  denoted  by  (1  -  a)  where  a 
is  the  probability  that  the  interval  will  not 
contain  the  true  value.  A  one-sided  confi¬ 
dence  interval  is  used  when  we  wish  to  de¬ 
termine  only  a  maximum  or  a  minimum  value 
of  a  parameter,  such  as  the  lower  limit  on 
mean  life  or  the  upper  limit  on  failure  rate. 

The  x2  (Chi-square)  distribution  can 
be  used  to  derive  the  confidence  limits  on 
the  exponential  mean  life.  Table  3-1  gives 
upper  and  lower  factors  (UF  and  LF)  which 
provide  the  two  confidence  limits  when  mul¬ 
tiplied  by  the  point  estimate  of  0  given 
above.  Hence,  the  probability  that  the  true 
mean  life  lies  above  some  lower  limit  (at 
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TABLE  3-1.  UPPER  AND  LOWER  FACTORS  FOR  DETERMINING 
CONFIDENCE  LIMITS  FOR  THE  EXPONENTIAL 
MEAN  LIFE  (TWO-SIDED  LIMITS) 


Number  of 

Failures 
Observed  (r) 

90%  Confidence  Level 

_ 

95%  Confidence  Level 

Lower  95% 
Factor 

Upper  95% 
Factor 

Lower  97.5% 
Factor 

Upper  97.5% 
Factor 

1 

.334 

19.417 

.271 

39.526 

2 

.422 

5.624 

.359 

8.264 

3 

.476 

3.670 

.415 

4.850 

4 

.516 

2.027 

.456 

3.670 

5 

.546 

2.538 

.488 

3.080 

6 

.571 

2.296 

.514 

2.725 

7 

.591 

2.130 

.536 

2.487 

8 

.608 

2.010 

.555 

2.316 

9 

.624 

1.917 

.571 

2.187 

10 

.637 

1.843 

.585 

2.085 

11 

.649 

1.783 

.598 

2.003 

12 

.659 

1.733 

.610 

1.935 

13 

.669 

1.691 

.620 

1.878 

14 

.677 

1.654 

.630 

1.829 

15 

.685 

1.622 

.639 

1.787 

16 

.693 

1.594 

.647 

1.749 

17 

.700 

1.569 

.654 

1.717 

18 

.706 

1.547 

.661 

1.687 

19 

.712 

1.527 

.668 

1.661 

20 

.717 

1.509 

.674 

1.637 

21 

.723 

1.492 

.680 

1.616 

22 

.727 

1.477 

.685 

1.596 

23 

.732 

1.463 

.690 

1.578 

24 

.737 

1.450 

.695 

1.561 

25 

.741' 

1.438 

.700 

1.545 

26 

.745 

1.427 

.704 

1.531 

27 

.748 

1.417 

.709 

1.517 

28 

.752 

1.407 

.713 

1.505 

29 

.755 

1.398 

.717 

1.493 

30 

.759 

1.389 

. 

.720 

_ 

1.482 

Confidence  limits  are  determined  by  multiplying  the  estimated  mean  life  0  by  factors 
which  correspond  to  the  desired  confidence  level  and  the  observed  number  of  failures  in 
the  life  test,  i.e.: 
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a/2)  and  below  some  upper  limit  (at  1  -  a/2) 
is  equal  to  1  -  a,  the  area  between  the  two 
limits,  i.e. 


(I 


p  <LF>a/2,r*l«l<UF)a/2 


.•3 


=  1-a 


where  9  -  point  estimate  of  mean  life 


6  =  true  mean  life  (3-6) 


(LF)a/2  r  =  lower  factor  for  (1  - a)%  C.L. 
based  on  r  failures 


(UF)a/2  r  =  upper  factor  for  (1  -a)%  C.L. 
based  on  r  failures 


The  table  gives  LF  and  UF  for  90%  and  95% 
two-sided  confidence  intervals  for  values  of 
r  from  1  to  30. 


EXAMPLE:  Assume  15  failures  oc¬ 
curred  on  a  life  tegt,  giving  an  esti¬ 
mated  mean  life,  0,  of  2,000  hours. 
From  Table  3-1  the  lower  and  upper 
97.5%  factors  are  0.639  and  1.787,  re¬ 
spectively.  Therefore  the  95%  confi¬ 
dence  interval  is 


Thus  from  this  test  we  can  be  95% 
confident  that  the  true  mean  life  is 
between  1,278  and  3,754  hours. 

Note  that  if  the  data  is  based  on  a  life 
test  where  there  is  a  pre-assigned  trunca¬ 
tion  time,  enter  the  table  with  (r  +  1)  fail¬ 
ures  rather  than  r. 

For  r  greater  than  30,  the  approximate 
values  for  LF  and  UF  are: 


(1)  For  90%  confidence  level  (r>30) 


<LF).05,r 


_ 4r  (3-7) 

(^f4FT"+  1.645) 2 


(UF) 


_  4r 

•05’r  ( \|4r-l  -  1.645)* 


(3-8) 


(2)  For  95%  confidence  level  (r>30), 
replace  1.645  in  the  above  equa¬ 
tions  by  1.96. 


Table  3-11  gives  the  lower  factor 
(LF)a  r  for  one-sided  lower  confidence 
limits’on  the  exponential  mean  life.  Multi¬ 
plying  the  point  estimate  of  9  by  (LF)  gives 
the  one-sided  (1  -  a)%  confidence  limit. 
For  r  greater  than  30, 


(LF) 


4r 


a*r  (^T+X2a)2 


(3-9) 


where 

xl  =  0.84  if  a  =  0.20  (80%  confidence 
limit) 

x2  *  1.28  if  a  =  0.10  (90%  confidence 
limit) 

x2  =  1.645  if  a  =  0.05  (95%  confidence 
limit) 

Chart  3-II  is  a  plot  of  Table  3-II. 

Reliability  Estimates  from  Test  Data 

Since  the  reliability  function  for  the 
exponential  distribution  is  R(t)  -  e" the 
estimate  9  can  be  used  to  estimate  R(t). 
That  is 

R(t)  =  e-t/(* 

The  confidence  interval  for  R(t)  is  then 
approximately 

(e'^L  <  R(t)  <  eH/®  U) 
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TABLE  3-11.  FACTORS  FOR  DETERMINING  LOWER  CONFIDENCE  LIMIT 
FOR  THE  EXPONENTIAL  MEAN  LIFE 


Number  of 
Failures 
Observed  (r) 

Lower  Confidence  Limit 

80% 

90% 

95% 

97.5% 

99% 

1 

.621 

.434 

.334 

.272 

.217 

2 

.668 

.514 

.422 

.360 

.300 

3 

.701 

.566 

.476 

.416 

.358 

4 

.727 

.597 

.516 

.457 

.398 

5 

.746 

.625 

.546 

.486 

.432 

6 

.759 

.649 

.571 

.515 

.458 

7 

.769 

.664 

.591 

.537 

.480 

8 

.780 

.681 

.608 

.555 

.500 

9 

.789 

.692 

.624 

.571 

.516 

10 

.800 

.704 

.637 

.583 

.531 

11 

.806 

.714 

.649 

.596 

.546 

12 

.811 

.723 

.659 

.608 

.558 

13 

.818 

.730 

.669 

.620 

.570 

14 

.824 

.739 

.677 

.630 

.580 

15 

.826 

.744 

.685 

.639 

.590 

16 

.831 

.751 

.693 

.645 

.598 

17 

.835 

.757 

.700 

.654 

.606 

18 

.839 

.763 

.706 

.662 

.614 

19 

.842 

.768 

.712 

.669 

.620 

20 

.846 

.772 

.717 

.765 

.628 

21 

.848 

.776 

.723 

.680 

.635 

22 

.853 

.780 

.727 

.685 

.640 

23 

.855 

.785 

.732 

.690 

.645 

24 

.857 

.788 

.737 

.695 

.650 

25 

.859 

.791 

.741 

.700 

.656 

26 

.862 

.795 

.745 

.705 

.660 

27 

.864 

.798 

.748 

.709 

.666 

28 

.866 

.801 

.752 

.713 

.670 

29 

.868 

.803 

.755 

.718 

.675 

30 

.870 

.806 

.759 

.720 

.678 

The  lower  confidence  limit  is  determined  by  multiplying  the  estimated  mean  life  by  the  factor 
(LF)  which  corresponds  to  the  desired  confidence  level  and  the  observed  number  of  failures, 


i.e,: 


pjO-F^,)  Si*-”]. 


1  -  a 
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CHART  3-11.  RATIO  OF  LOWER  LIMIT  ON  MTF,  TO  OBSERVED 
MTF  AT  SEVERAL  LEVELS  OF  CONFIDENCE,  AS  A 
FUNCTION  OF  THE  NUMBER  OF  FAILURES  USED 
IN  DETERMINING  THE  OBSERVED  MTF 
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where  0^  »  lower  confidence  limit  on  9 

A 

»  upper  confidence  limit  on  9 

In  the  same  manner,  the  one-sided 
(lower)  limit  of  R(t)  is  found  by  using  the 
one-sided  limit  of  9  found  in  Chart  3-II.  As 
an  example,  if  the  total  accumulated  test 
time  was  5,300  hours  after  10  failures  had 
occurred,  then 

9  »  «  530  hours  is  the  observed 

mean  life 

From  Chart  3-11,  the  lower  one-sided  90% 
confidence  limit  on  9  is  (.704X530)  =  373 


hours.  Hence,  we  can  be  90%  confident  that 
the  reliability  at  t  hours  is  at  least 

R(t)  =  e*t/37° 

Figure  3-3  illustrates  the  application 
of  this  lower  90%  confidence  limit  to  the 
exponential  reliability  function.  In  Figure 
3-4  a  90%  confidence  interval  has  bejpn  de¬ 
lved  using  Table  3-1  for  values  of  9y  and 
at  the  90%  level.  In  this  instance  the 
upper  and  lower  bounds  imply  95%  confi¬ 
dence  that  9  is  at  least  338  hours  but  no 
greater  than  977  hours,  or  90%  confidence 
that  9  lies  between  these  two  bounds. 


R(t) 


Figure  3-3.  One-Sided  (Lower)  90%  Confidence  Limit  of  9 
Applied  to  the  Exponential  Reliability  Function 
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6t  *  338  0*530  ©u-977 


Figure  3-4.  Two-Sided  90%  Confidence  Limits  of  6  Applied  to 
the  Exponential  Function,  Where  0\_  and  0U  are 
95%  Limits  for  the  90%  Confidence  Interval 


3.4  ESTIMATION  OF  CONFIDENCE  LIMITS 
ON  MISSION  RELIABILITY  AND  FAILURE  PROBABILITY 

Confidence  limits  for  a  proportion  of  EXAMPLE :  Ten  missiles  are  fired  at 

an  attribute  based  on  a  sample  are  the  limits  target  drones  during  a  system  exer- 

that  contain  the  true  proportion  of  that  at-  cise.  All  ten  successfully  intercept 

tribute  in  the  population  from  which  the  their  respective  targets.  The  observed 

sample  was  drawn.  The  "attribute”  may  be  reliability  in  this  sample  of  ten  is 

the  percent  defective  in  a  production  lot  of  therefore  1.0  (the  proportion  failing 

parts;  the  probability  of  system  failure  in  a  is  zero).  From  Table  3-1II  it  can  be 

given  number  of  operating  cycles;  or  the  stated  with  90%  confidence  that  the 

probability  of  mission  success  in  a  given  probability  of  missile  failure  in  future 

number  of  trials— mission  reliability.  Table  tests  of  this  system  under  the  same 

shows  the  upper  confidence  limits  for  set  of  test  conditions  will  not  exceed 

sample  sizes  ranging  from  2  to  30.  Charts  .206  on  the  basis  of  this  sample  of 

3411,  IV  and  V  extend  the  table  from  sample  data.  Estimated  reliability  of  future 

size  30  to  sample  size  5000.  missile  firings  should  be  at  least  .794 

or  approximately  80%  at  the  90%  level 

-  of  confidence. 

—  Statistics  Manual,  E.  L.  Crow,  Frances  A.  Davis, 

and  Margaret  W.  Maxfield,  Dover  Pnblications,  Inc., 
p.  262. 


EXAMPLE :  In  a  sample  of  50  transis¬ 
tors,  20%  are  observed  to  be  defective. 
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Chart  3-III  may  be  used  to  determine 
the  limits  for  the  true  percentage  of 
defectives  in  the  population  from 
which  the  sample  was  drawn.  The 
chart  shows  that,  for  a  proportion  of 
r/N  =  .2  (20%  in  a  sample  of  50),  the 
upper  95%  confidence  limit  is  .32.  It 
may  be  stated  with  95%  confidence 
that  the  true  percent  defective  of  the 
population  from  which  the  sample  was 
drawn  is  less  than  32%. 

EXAMPLQ:  A  complex  weapon  con¬ 
trol  system  is  subjected  to  operational 
evaluation  in  the  Fleet.  In  100  ran¬ 
domly  scheduled  system  exercises 
(mission  trials)  the  system  failed  to 
respond  to  command  on  five  occasions 
(r/N  =  .05)  for  an  estimated  availability 
of  .95.  It  can  be  stated  with  90%  con¬ 
fidence  that  the  availability  of  the 
weapon  control  system  for  any  future 
demand  is  at  least. 9;  that  is,  it  will  be 
availablefor  tactical  use  approximately 
9  times  in  10. 

When  the  sample  size  of  interest  does 
not  appear  on  the  chart,  the  following  approx¬ 
imate  formula  may  be  used  to  compute  confi¬ 
dence  intervals  on  the  true  proportion  in  the 
population  from  which  the  sample  is  drawn: 

D  (r+Z2/2)  ±  \Ar+Z2/2)2  -  r2/N(N+Z2) 
P  N  +  Z* 

(3-10) 

where  r  *  number  of  observed 
failures 

N  =  Sample  size,  where  N  >  30 

p  =  true  proportion  in  the 
population 

and  Z  has  the  following  values  for  the  in¬ 
dicated  single  limit  confidence  limits: 


Upper  or  Lower 
Confidence  Limit 

Confidence 

“Band” 

Z 

80.0% 

60% 

0.840 

90.0% 

80% 

1.282 

95.0% 

90% 

1.645 

97.5% 

95% 

1.960 

99.5% 

99% 

2.576 

EXAMPLE:  In  the  95  trials  in  which 
the  weapon  control  system  in  the  above 
example  was  “up”  when  needed,  it 
successfully  completed  80  of  95  at¬ 
tempted  3-hour  missions  (r/N  =  15/95) 
for  an  observed  reliability  of  .842.  To 
solve  for  the  lower  95%  confidence 
limit  on  the  observed  reliability,  sub¬ 
stitute  values  of  r,  N,  and  Z  into 
Equation  (3-10)  as  follows,  remember¬ 
ing  that  the  lower  limit  on  the  relia¬ 
bility  estimate  is  equal  to  one  minus 
the  upper  confidence  limit  on  r/N  or  p: 

[15+(1. 645)2/2] 

P  “  95+U.645)2 

+t/[15+(1.645)2/2]2-225/95[95+(l. 645)2] 
*  95+(1.645)2 


[16.35]  +/[16.3512  -  231 
- 97T - 

= JgiOS  „  236 
97.7 

and  *1-Py  =  l-  .236  =  .764 

We  can  say,  with  95%  confidence,  that 
reliability  of  the  weapon  control  sys¬ 
tem  is  at  least  .764  under  the  condi¬ 
tions  that  prevailed  during  the  test. 
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TABLE  3— III.  ONE-SIDED  CONFIDENCE  LIMITS  FOR  A  PROPORTION 


If  the  observed  proportion  is  r/n,  enter  the  table  with  a  and  r  for  an  upper  one-eid*d  limit.  For  a  lower  one¬ 
sided  limit,  enter  the  table  with  n  and  n  —  r  and  subtract  the  table  entry  from  1. 


r 

90* 

95* 

99* 

r 

90* 

95* 

99* 

r 

90* 

95* 

99* 

n  = 

2 

n  = 

3 

n  = 

-  4 

0 

.684 

.776 

.900 

0 

.536 

.632 

.785- 

.438 

.527 

.684 

1 

.949 

.975- 

.995- 

1 

.804 

.365- 

.941 

i 

.680 

.751 

.859 

2 

.965+ 

.983 

.997 

2 

.857 

.902 

.958 

3 

.974 

.987 

.997 

n  = 

5 

0  = 

6 

D  = 

7 

0 

.369 

.451 

.602 

0 

.319 

.393  * 

.536 

0 

.280 

.348 

.482 

1 

.584 

.657 

.778 

1 

.510 

.582 

.706 

1 

.453 

.521 

.643 

2 

.753 

.811 

.894 

2 

.667 

.729 

.827 

2 

.596 

.659 

.764 

3 

.888 

.924 

.967 

3 

.799 

.847 

.915  + 

3 

.721 

.775- 

.858 

4 

.979 

.990 

.998 

4 

.907 

.937 

.973 

4 

.830 

.871 

.929 

5 

.983 

.991 

.998 

5 

.921 

.947 

.977 

6 

.985+ 

.993 

.999 

n  = 

8 

D  = 

9 

n  = 

10 

mm 

.250 

.312 

.438 

0 

.226 

.283 

.401 

0 

.206 

.259 

.369 

.406 

.471 

.590 

1 

.368 

.429 

.544 

1 

.337 

.394 

.504 

KX 

.538 

.600 

.707 

2 

.490 

.550 

.656 

2 

.450 

.507 

.612 

Bi 

.655+ 

.711 

.802 

3 

.599 

.655+ 

.750 

3 

.552 

.607 

.703 

.760 

.807 

.879 

4 

.699 

.749 

.829 

4 

.646 

.696 

.782 

.853 

.889 

.939 

5 

.790 

.831 

.895- 

5 

.733 

.778 

.850 

.931 

.954 

.980 

6 

.871 

.902 

.947 

6 

.812 

.850 

.907 

.987 

.994 

.999 

7 

.939 

.959 

.983 

7 

.884 

.913 

.952 

8 

.988 

.994 

.999 

8 

.945+ 

.963 

.984 

■H 

9 

.990 

.995- 

.999 

n  = 

11 

n  = 

12 

n  = 

13 

0 

.189 

.238 

.342 

0 

.175- 

.221 

.319 

0 

.162 

.206 

.298 

1 

.310 

.364 

.470 

1 

.287 

.339 

.440 

1 

.268 

.316 

.413 

2 

.415+ 

.470 

.572 

2 

.386 

.438 

.537 

2 

.360 

.410 

.506 

3 

.511 

.564 

.660 

3 

.475+ 

.527 

.622 

3 

.444 

.495- 

.588 

4 

.599 

.650 

.738 

4 

.559 

.609 

.698 

4 

.523 

.573 

.661 

5 

.682 

.729 

.806 

5 

.638 

.685- 

.765+ 

5 

.598 

.645+ 

.727 

6 

.759 

.800 

.866 

6 

.712 

.755- 

.825+ 

6 

.669 

.713 

.787 

7 

.831 

.865- 

.916 

7 

.781 

.819 

.879 

7 

.736 

.776 

.841 

8 

.895+ 

.921 

.957 

8 

.846 

.877 

.924 

8 

.799 

.834 

.889 

9 

.951 

.967 

.986 

9 

.904 

.928 

.961 

9 

.858 

.887 

.931 

10 

.990 

.995+ 

.999 

10 

.955- 

.970 

.987 

10 

.912 

.934 

.964 

11 

.991 

.996 

.999 

11 

.958 

.972 

.988 

12 

.992 

.996 

.999 

n  = 

14 

n  = 

15 

n  = 

16 

0 

.152 

.193 

.280 

0 

.142 

.181 

.264 

.134 

.250 

1 

.251 

.297 

.389 

1 

.236 

.279 

.368 

.349 

2 

.337 

.385+ 

.478 

2 

.317 

.363 

.453 

oi 

Bin 

.430 

3 

.417 

.466 

.557 

3 

.393 

.440 

.529 

3 

.371 

.417 

.503 

4 

.492 

.540 

.627 

4 

.464 

.511 

.597 

4 

.439 

.484 

.569 

S 

.563 

.610 

.692 

5 

.532 

.577 

.660 

5 

.504 

.548 

.630 
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TABLE  3 — 111  -  ONE-SIDED  LIMITS  (Contd.) 


r 

90% 

95% 

99% 

r 

90% 

95% 

99% 

r 

90% 

95% 

99% 

n  = 

14 

2k  = 

15 

D  =■ 

16 

6 

.631 

.675- 

.751 

6 

.596 

.640 

.718 

6 

.565+ 

.609 

.687 

7 

.695+ 

.736 

.805+ 

7 

.658 

.700 

.771 

7 

.625- 

.667 

.739 

8 

.757 

.794 

.854 

8 

.718 

.756 

.821 

8 

,682 

.721 

.788 

9 

.815- 

.847 

.898 

9 

.774 

.809 

.865+ 

9 

.737 

.773 

.834 

10 

.869 

.896 

.936 

10 

.828 

.858 

.906 

10 

.790 

.822 

.875- 

mm 

.919 

.939 

.967 

11 

.878 

.903 

.941 

11 

.839 

.868 

.912 

In 

.961 

.974 

.989 

12 

.924 

.943 

.969 

12 

.886 

.910 

.945- 

KB 

.993 

.996 

.999 

13 

.964 

.976 

.990 

13 

.929 

.947 

.971 

KB 

14 

.993 

.997 

.999 

14 

.966 

.977 

.990 

1  - 

15 

.993 

.997 

.999 

n  = 

17 

0  = 

18 

n  = 

19 

0 

.127 

.162 

.237 

0 

.120 

.153 

.226 

0 

.114 

.146 

.215+ 

1 

.210 

.250 

.332 

1 

.199 

.238 

.316 

1 

.190 

.226 

.302 

2 

.284 

.326 

.410 

2 

.269 

.310 

.391 

2 

.257 

.296 

.374 

3 

.352 

.396 

.480 

3 

.334 

.377 

.458 

3 

.319 

.359 

.439 

4 

.416 

.461 

.543 

4 

.396 

.439 

.520 

4 

.378 

.419 

.498 

5 

.478 

.522 

.603 

5 

.455+ 

.498 

.577 

5 

.434 

.476 

.554 

6 

.537 

.580 

.658 

6 

.512 

.554 

.631 

6 

.489 

.530 

.606 

7 

.594 

.636 

.709 

7 

.567 

.608 

.681 

7 

.541 

.582 

.655+ 

8 

.650 

.689 

.758 

8 

.620 

.659 

.729 

8 

.592 

.632 

.702 

9 

.703 

.740 

.803 

9 

.671 

.709 

.774 

9 

.642 

.680 

.746 

10 

.754 

.788 

.845- 

10 

.721 

.756 

.816 

10 

.690 

.726 

.788 

11 

.803 

.834 

.883 

11 

.769 

.801 

.855- 

11 

.737 

.770 

.827 

12 

.849 

.876 

.918 

12 

.815- 

.844 

.890 

12 

.782 

.812 

.863 

13 

.893 

.915+ 

.948 

13 

.858 

.884 

.923 

13 

.825- 

.853 

.897 

14 

.933 

.950 

.973 

14 

.899 

.920 

.951 

14 

.866 

.890 

.927 

15 

.968 

.979 

.991 

15 

.937 

.953 

.975- 

15 

.905- 

.925- 

.954 

16 

.994 

.997 

.999 

16 

.970 

.980 

.992 

16 

.941 

.956 

.976 

17 

.994 

,997 

.999 

17 

.972 

.981 

.992 

18 

.994 

.997 

.999 

n  = 

20 

n  = 

21 

o  = 

22 

0 

.109 

.139 

.206 

0 

.104 

.133 

.197 

0 

.099 

.127 

.189 

1 

.181 

.216 

.289 

1 

.173 

.207 

.277 

1 

.166 

.198 

.266 

2 

.245- 

.283 

.358 

2 

.234 

.271 

.344 

2 

.224 

.259 

.330 

3 

.304 

.344 

.421 

3 

.291 

.329 

.404 

3 

.279 

.316 

.389 

4 

.361 

.401 

.478 

4 

.345+ 

.384 

.460 

4 

.331 

.369 

.443 

5 

.415- 

.456 

.532 

5 

.397 

.437 

.512 

5 

.381 

.420 

.493 

6 

.467 

.508 

.583 

6 

.448 

.487 

.561 

6 

.430 

.468 

.541 

7 

.518 

.558 

.631 

7 

.497 

.536 

.608 

7 

.477 

.515+ 

.587 

8 

.567 

.606 

.677 

8 

.544 

.583 

.653 

8 

.523 

.561 

.630 

9 

.615+ 

.653 

.720 

9 

.590 

.628 

.695+ 

9 

.568 

.605- 

.672 

10 

.662 

.698 

.761 

10 

.636 

.672 

.736 

10 

.611 

.647 

.712 

■s 

.707 

.741 

.800 

11 

.679 

.714 

.774 

11 

.654 

.689 

.750 

KS 

.751 

.783 

.837 

12 

.722 

.755+ 

.811 

12 

.695+ 

.729 

.786 

K  9 

.793 

.823 

.871 

13 

.764 

.794 

.845+ 

13 

.736 

.767 

.821 

14 

.834 

.860 

.902 

14 

.804 

.832 

.878 

14 

.775+ 

.804 

.853 

15 

.873 

.896 

.931 

15 

.842 

.868 

.908 

15 

.813 

.840 

.884 

16 

.910 

.929 

.956 

16 

.879 

.901 

.935- 

16 

.850 

.874 

.912 

17 

.944 

.958 

.977 

17 

.914 

.932 

.959 

17 

.885+ 

.906 

.938 

18 

.973 

.982 

.992 

18 

.946 

.960 

.978 

18 

.918 

.935+ 

.961 

19 

.995- 

.997 

.999 

19 

.974 

.983 

.993 

19 

.949 

.962 

.979 

20 

.995- 

.998 

1.000 

20 

.976 

.984 

.993 

21 

.995+ 

.998 

1.000 
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TABLE  3— III  -  ONE-SIDED  LIMITS  (Contd.) 


r 

90% 

95% 

99% 

r 

90% 

95% 

99% 

r 

90% 

95% 

99% 

n  = 

23 

n  = 

24 

n  = 

25 

0 

.095+ 

.122 

.181 

0 

.091 

.117 

.175- 

0 

.088 

.133 

.168 

1 

.159 

.190 

.256 

1 

.153 

.183 

.246 

1 

.147 

.176 

.237 

2 

.215+ 

.249 

.318 

2 

.207 

.240 

.307 

2 

.199 

.231 

.296 

3 

.268 

.304 

.374 

3 

.258 

.292 

.361 

3 

.248 

.282 

.349 

4 

.318 

.355- 

.427 

4 

.306 

.342 

.412 

4 

.295- 

.330 

.398 

5 

.366 

.404 

.476 

5 

.352 

.389 

.460 

5 

.340 

.375+ 

.444 

6 

.413 

.451 

.522 

6 

.398 

.435- 

.505- 

6 

.383 

.420 

.488 

7 

.459 

.496 

.567 

7 

.442 

.479 

.548 

7 

.426 

.462 

.531 

8 

.503 

.540 

.609 

8 

.484 

.521 

.590 

8 

.467 

.504 

.571 

9 

.546 

.583 

.650 

9 

.526 

.563 

.630 

9 

.508 

.544 

.610 

10 

.589 

.625- 

.689 

10 

.567 

.603 

.668 

10 

.548 

.583 

.648 

11 

.630 

.665- 

.727 

11 

.608 

.642 

.705- 

11 

.587 

.621 

.684 

12 

.670 

.704 

.763 

12 

.647 

.681 

.740 

12 

.625- 

.659 

.719 

13 

.710 

.742 

.797 

13 

.685+ 

.718 

.774 

13 

.662 

.695- 

.752 

14 

.748 

.778 

.829 

14 

.723 

.754 

.806 

14 

.699 

.730 

.784 

15 

.786 

.814 

.860 

15 

.759 

.788 

.837 

15 

.735- 

.764 

.815+ 

16 

.822 

.848 

.889 

16 

.795+ 

.822 

.867 

16 

.770 

.798 

.845  + 

17 

.857 

.880 

.916 

17 

.830 

.854 

.894 

17 

.804 

.830 

.873 

18 

.890 

.910 

.941 

18 

.863 

.885+ 

.920 

18 

.837 

.861 

.899 

19 

.922 

.938 

.962 

19 

.895+ 

.914 

.943 

19 

.869 

.890 

.923 

20 

.951 

.963 

.980 

20 

.925  + 

.941 

.964 

20 

.899 

.918 

.946 

21 

.977 

.984 

.993 

21 

.953 

.965+ 

.981 

21 

.928 

.943 

.966 

22 

.995+ 

.998 

1.000 

22 

.978 

.985- 

.994 

22 

.955+ 

.966 

.982 

23 

.996 

.998 

1.000 

23 

.979 

.986 

.994 

24 

.996 

.998 

1.000 

n  - 

26 

n  = 

27 

n  = 

28 

0 

.085- 

.109 

.162 

0 

.082 

.105+ 

.157 

0 

.079 

.101 

.152 

l 

.142 

.170 

.229 

1 

.137 

.164 

.222 

1 

.132 

.159 

.215 

2 

.192 

.223 

.286 

2 

.185+ 

.215+ 

.277 

2 

.179 

.208 

.268 

3 

.239 

.272 

.337 

3 

.231 

.263 

.326 

3 

.223 

.254 

.316 

4 

.284 

.318 

.385- 

4 

.275- 

.308 

.373 

4 

.265+ 

.298 

.361 

5 

.328 

.363 

.430 

5 

.317 

.351 

.417 

5 

.306 

.339 

.404 

6 

.370 

.405+ 

.473 

6 

.358 

.392 

.458 

6 

.346 

.380 

.445- 

7 

.411 

.447 

.514 

7 

.397 

.482 

.498 

7 

.385- 

.419 

.484 

8 

.451 

.487 

.554 

8 

.436 

.471 

.537 

8 

.422 

.457 

.521 

9 

.491 

.526 

.592 

9 

.475- 

.509 

.574 

9 

.459 

.494 

.558 

10 

.529 

.564 

.628 

10 

.512 

.547 

.610 

10 

.496 

.530 

.593 

11 

.567 

.602 

.664 

11 

.549 

.583 

.645+ 

11 

.532 

.565+ 

.627 

12 

.604 

.638 

.698 

12 

.585- 

.618 

.679 

12 

.567 

.600 

.660 

13 

.641 

.673 

.731 

13 

.620 

.653 

.711 

13 

.601 

.634 

.692 

14 

.676 

,708 

.763 

14 

.655+ 

.687 

.743 

14 

.635+ 

.667 

.723 

15 

.711 

.742 

.794 

15 

.689 

.720 

.773 

15 

.669 

.699 

.753 

16 

.746 

.774 

.823 

16 

.723 

.752 

.802 

16 

.701 

.731 

.782 

17 

.779 

.806 

.851 

17 

.756 

.783 

.831 

17 

.733 

.762 

.810 

18 

.812 

.837 

.878 

18 

.788 

.814 

.857 

18 

.765- 

.792 

.837 

19 

.843 

.866 

,903 

19 

.819 

.843 

.883 

19 

.796 

.821 

.863 

20 

.874 

.894 

.927 

20 

.849 

.871 

.907 

20 

.826 

.849 

.888 

21 

.903 

.921 

.948 

21 

.879 

.899 

.930 

21 

.855+ 

.876 

.911 

22 

.931 

.946 

.967 

22 

.907 

.924 

.950 

22 

.883 

.902 

.932 

23 

.957 

.968 

.983 

23 

.934 

.948 

.968 

23 

.911 

.927 

.952 

24 

.979 

.986 

.994 

24 

.958 

.969 

.983 

24 

.936 

.950 

.969 

25 

.996 

.998 

1.000 

25 

.980 

.987 

.994 

25 

.960 

.970 

.984 

26 

.996 

.998 

1.000 

26 

.981 

.987 

.995- 

27 

.996 

.998 

1.000 
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TABLE  3 — III  -  ONE-SIDED  LIMITS  (Contd.) 
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CHART  3-V.  ONE-SIDED  8096  CONFIDENCE  LIMITS 
FOR  A  PROPORTION,  0  <  r/N  <  0.2 
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APPENDIX  4.  REDUNDANCY  CONSIDERATIONS 

IN  DESIGN 


4.1  INTRODUCTION 


Under  certain  circumstances  during 
system  design  it  may  become  necessary  to 
consider  the  use  of  redundancy  to  reduce  the 
probability  of  system  failure— to  enhance  sys¬ 
tem  reliability— by  providing  more  than  one 
functional  path  or  operating  element  in  areas 
that  are  critically  important  to  system  suc¬ 
cess.  The  use  of  redundancy  is  not  a  pan¬ 
acea  to  solve  all  reliability  problems,  nor  is 
it  a  substitute  for  good  design  in  the  first 
place.  By  its  very  nature,  redundancy  im¬ 
plies  increased  complexity,  increased  weight 
and  space,  increased  power  consumption, 
and  usually  a  more  complicated  system  check¬ 
out  and  monitoring  procedure.  On  the  other 
hand,  redundancy  is  .the  only  solution  to 
many  of  the  problems  confronting  the  designer 
of  today’s  complex  weapon  systems. 

It  is  the  purpose  of  this  appendix  to 
present  a  brief  description  of  the  more  com¬ 
mon  types  of  redundant  configurations  avail¬ 
able  to  the  designer,  with  the  applicable 
block  diagrams,  mathematical  formulae,  and 
reliability  functions  to  facilitate  the  compu¬ 
tation  of  reliability  gain  to  be  expected  in 
each  case. 

4.1.1  Levels  of  Redundancy 

Redundancy  may  be  applied  at  the 
system  level  (essentially  two  systems  in 


parallel)  or  at  the  subsystem,  component,  or 
part  level  within  a  system.  Figure  4-1  is  a 
simplified  reliability  block  diagram  drawn  to 
illustrate  the  several  levels  at  which  redun¬ 
dancy  can  be  applied.  System  D  is  shown 
with  its  redundant  alternate,  D‘,  at  the  sys¬ 
tem  level.  D'  is  in  turn  built  up  of  redun¬ 
dant  subsystems  or  components  (Ct  and  C2) 
and  redundant  parts  within  components  (bj 
and  b2  within  Component  B). 

From  the  reliability  block  diagram  and 
a  definition  of  block  or  system  success,  the 
paths  that  will  result  in  successful  system 
operation  can  be  determined,  For  example, 
the  possible  paths  from  I  to  0  are: 

(1)  A,  a,  bj,  C, 

(2)  A,  a,  bt,  C2 

(3)  A,  a,  b2,  Cj 

(4)  A,  a,  b2,  C2 

(5)  D 

The  success  of  each  path  may  be  com¬ 
puted  by  determining  an  assignable  reliabil¬ 
ity  value  for  each  term  and  applying  the 
multiplication  theorem.  The  computation  of 
system  success  (all  paths  combined)  re- 
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Figure  4-1.  Reliability  Block  Diagram  Depicting  Redundancy  at  the  System, 
Subsystem,  and  Component  Levels 


quires  a  knowledge  of  the  type  of  redun¬ 
dancy  to  be  used  in  each  case  and  an  esti¬ 
mate  of  individual  element  reliability  (or 
unreliability). 

4.1.2  Probability  Notation  for  Redundancy 
Computations 

Reliability  of  redundancy  combinations 
is  expressed  in  probabilistic  terms  of  suc¬ 
cess  or  failure— for  a  given  mission  period,  a 
given  number  of  operating  cycles,  or  a  given 
number  of  time-independent  “events”,  as 
appropriate.  The  “MTBF”  measure  of  re¬ 
liability  is  not  readily  usable  because  of  the 
non-exponent iality  of  the  reliability  function 
produced  by  redundancy.  Reliability  of  re¬ 
dundancy  combinations  which  are  “time- 
dependent”  is  therefore  computed  at  a  dis¬ 
crete-  point  in  time,  as  a  probability  of  suc¬ 
cess  for  this  descrete  time  period.  The  fol¬ 


lowing  notation  is  applicable  to  all  cases 
and  is  used  throughout  this  appendix: 

R  =  probability  of  success  or  re¬ 
liability  of  a  unit  or  block. 

R  =  probability  of  failure  or  unre¬ 
liability  of  a  unit  or  block. 

p  =  probability  of  success  or  re¬ 
liability  of  an  element. 

q  =  probability  of  failure  or  unre¬ 
liability  of  an  element. 

For  probability  statements  concerning 
an  event: 

P(A)  =  probability  that  A  occurs. 

P(A)  =  probability  that  A  does  not 
occur. 
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UNIT  A  UNIT  B  UNIT  C 

Figure  4*2.  Series-Parallel  Configuration 


For  the  above  probabilities: 

R  +  R  =  1 
p  +  q  =  1 
P(A)  +  P(A)  =  1 

4. 1 .3  Redundancy  Combinations 

The  method  of  handling  redundancy 
combinations  can  be  generalized  as  follows: 

•  If  the  elements  are  in  parallel 
and  the  units  in  series  (Figure 
4-2),  first  evaluate  the  redundant 
elements  to  get  the  unit  re¬ 
liability;  then  find  the  product  of 
all  unit  reliabilities  to  obtain 
the  block  reliability. 


the  product  of  the  reliabilities  of 
all  elements  in  each  path;  then 
consider  each  path  as  a  redundant 
unit  to  obtain  theblock  reliability. 

In  the  redundancy  combination  shown 
in  Figure  4-2,  Unit  A  has  two  parallel  re¬ 
dundant  elements,  Unit  B  has  three  parallel 
redundant  elements,  and  Unit  C  has  only  one 
element.  Assume  that  all  elements  are  in¬ 
dependent.  For  Unit  A  to  be  successful, 
Aj  or  A  2  must  operate;  for  Unit  B,  Bj  or  B2 
or  B3  must  operate;  and  C  must  always  be 
operating  for  block  success.  Translated  into 
probability  terms,  the  reliability  of  Figure  4-2 
becomes: 

R  =  [1  -  P(  A  X)P(  A  2)][1  -  P(B  j  )P(B  2)P(B3)]P(C) 

If  the  probability  of  success,  p,  is  the 
same  for  each  element  in  a  unit, 

R  =  [1  -  (1  -  pA)2Hl  -  (1  -  Pb)3]Pc 


•  If  the  elements  are  in  series  and 
the  units  or  paths  are  in  parallel 
(Figure  4-3),  first  obtain  the 
path  reliability  by  calculating 


=  (i  -  qA2MJ  •  Opc 
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Figure  4*3.  Parallel-Series  Configuration 


where 

q.=  i-Pi 

Often  there  is  a  combination  of  series 
and  parallel  redundancy  in  a  block  as  shown 
in  Figure  4-3a.  This  arrangement  can  be  con¬ 
verted  into  the  simple  parallel  form  shown  in 
Figure  4-3b  by  first  evaluating  the  series 
reliability  of  each  path: 


PA  Pa^aj 

Pb  =  Pb1Pb2Pb3 

where  the  terms  on  the  right  hand  side  repre¬ 
sent  element  reliability.  Then  block  re¬ 
liability  can  be  found  from 

R  =  1  -  (1  -  p A) (1  -  Pp) 

=  1  *  PaPb 
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4.1.4  Time-Dependent  Considerations  R(t)  =  pa(t)pb(t) 


The  reliability  of  elements  used  in  re¬ 
dundant  configurations  is  usually  time- 
dependent.  If  the  relation  between  element 
reliability  and  time  is  known,  inclusion  of 
the  time  factor  does  not  change  the  basic 
notation  and  approach  to  redundancy  com¬ 
putation  outlined  above.  As  an  example, 
assume  two  active  independent  elements  in 
parallel.  System  reliability  is  given  by: 

R  =  Pa  +  Pb  ‘  PaPb 


System  reliability,  R(t),  function  is 
also  exponential.  With  redundant  elements 
present  in  the  system,  however,  the  system 
reliability  function  is  not  itself  exponential, 
as  illustrated  by  two  operative  parallel 
elements  whose  failure  rates  are  constant. 
From 


This  equation  is  applicable  for  one  time  in¬ 
terval.  To  express  reliability  over  a  segment 
of  time,  the  reliability  of  each  element  must 
be  expressed  as  a  function  of  time.  Hence, 

R(t)  =  pa(t)  +  pb(t)  -  pa(t)pb(t) 


where 

R(t)  -  system  reliability  at  timet,  t>0 

p  (t),  pb(t)  =  element  reliabilities  at 
time  t 

The  failure  pattern  of  most  components 
is  described  by  the  exponential  distribution-^-/ 
i.e.: 

R=e*At  =  e‘t/0 


R(t)  =  pa  +  Pb  *  papb 


R(t) 


)t 


(A 
e 


)t 


e',A« 


+  Ab)t 


which  is  not  of  the  simple  exponential  form 
e-At.  Element  failure  rates  cannot,  therefore, 
be  combined  in  the  usual  manner  to  obtain 
the  system  failure  rate  if  considerable  re¬ 
dundancy  is  inherent  in  the  design. 

Although  a  single  failure  rate  cannot 
be  used  for  redundant  systems,  the  mean- 
time-to-failure  of  such  systems  can  be 
evaluated.  The  mean  life  of  a  redundant 
"pair”  whose  failure  rates  are  Afl  and  Afa, 
respectively,  can  be  determined  from 

MTBF  -=  -L  +  _L  -  - \ - 

Aa  Ab  Aa  +  Aj, 


where  A  is  the  constant  failure  rate;  t  is  the 
time  interval  over  which  reliability,  R,  is 
measured;  and  0  is  the  mean-time-to-failure. 

For  two  elements  in  series  with  constant 
failures  rates  Aa  and  Ab,  using  the  product 
rule  of  reliability  gives: 


If  the  failure  rates  of  both  elements  are 
equal,  then, 

R(t)  =  2e'A*  -  e*2At 

and 

MTBF=^L=  \o 


b^For  a  discussion  of  other  distributions,  sec 

Appendix  2. 


For  three  independent  elements  in  parallel, 
the  reliability  function  is 
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R(t)  =1-  1(1  -  e'(Aah)(l  -  e‘<Abh)(l  -  e*(Ach)] 


MTBF  = 


If 


JL  +  J.+.i - I _ I - 

Aa  Ac  Aa  +  ^b  Aa  +  Ac 

._i_+ _ I _ 

Ab  +  Ac  Aa  +  Ab  +  Ac 

Aa  =  Ab  =  Ac  =  A 
R(t)  =  3e*At  -  3e*2At  +  e*3At 


MTOF 


J1 

6A 


unit(s)  will  continue  to  perform 
the  system  function.  It  is  not 
necessary  to  switch  out  the  failed 
unit  nor  to  switch  in  the  redundant 
unit.  Failure  of  the  one  may  or 
may  not  change  the  probability  of 
failure  of  the  remaining  units,  de¬ 
pending  upon  the  nature  of  the 
“load”  being  shared. 

(b)  Switching  Redundancy:  operative 
redundant  units  are  connecred  by 
a  switching  mechanism  to  dis¬ 
connect  a  failed  unit  and  to  con¬ 
nect  one  of  the  remaining  operative 
redundant  units  into  the  system. 


In  general,  for  n  active  parallel  elements, 
each  element  having  the  same  constant 
failure  rate,  A, 

R(t)  =  1  -  [1  -  e*At]n 

and 

n  ,  n  a 
MTBF  =  2^-  =  Z-JL 

i=l  i=i  i 

4.1.5  Types  and  Classifications  of 
Redundancy 

The  following  types  of  parallel  re¬ 
dundancy  most  commonly  used  in  equipment 
design  are  described  in  this  appendix: 

(1)  Operative  Redundancy  -  redundant 
units  (or  elements),  all  of  which  are 
fully  energized  during  the  system 
operational  cycle.  Operative  re¬ 
dundancy  may  be  further  classified  as 
follows: 

(a)  Load-Sharing  Redundancy:  re¬ 
dundant  units  are  connected  in 
such  a  manner  that,  upon  failure 
of  one  unit,  the  remaining  redundant 


(2)  Standby  Redundancy  -  redundant  units 
(or  elements)  that  are  non-operative 
(i.e.,  have  no  power  applied)  until  they 
are  switched  into  the  system  upon 
failure  of  the  primary  unit.  Switching 
is  therefore  always  required. 

(3)  Voting  Redundancy  -  the  outputs  of 
three  or  more  operating  redundant  units 
are  compared,  and  one  of  the  outputs 
that  agrees  with  the  majority  of  out¬ 
puts  is  selected.  In  most  cases,  units 
delivering  outputs  that  fall  in  the 
minority  group  are  classed  as  “unit 
failures”. 

(4)  Redundancy-With-Repair  —  if  a  re¬ 
dundant  element  fails  during  a  mission 
and  can  be  repaired  essentially  “on¬ 
line”  (without  aborting  the  mission), 
then  redundancy-with-repair  can  be 
achieved.  The  reliability  of  dual  or 
multiple  redundant  elements  can  be 
substantially  increased  by  use  of  this 
design  concept. 

Diagrams,  formulae,  charts,  and  re¬ 
liability  functions  are  presented  in  the 
following  pages  for  the  above  types  and 
classes  of  redundancy. 
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4.2  OPERATIVE  OR  ACTIVE  REDUNDANT  CONFIGURATIONS 


Formulae  and  graphs  presented  in  this 
section  not  account  for  any  change  in 
failu  s  which  survivors  in  a  redundant 

“lot  mg’*  configuration  might  ex- 
perie  is  a  result  of  increased  operating 
stress  .  This  aspect  of  redundancy  design 
is  discussed  in  Paragraph  4.5  of  this 
appendix,  under  “Dependent  Failure  Prob¬ 
abilities”.  Also,  except  as  discussed  in 
4.2.4,  it  is  assumed  in  the  operative  case 
that  switching  devices  are  either  not  re¬ 
quired  or  are  relatively  simple  and  failu  re-free. 

4.2.1  Multiple  Redundancy 

Figure  4-4  shows  a  block  diagram  repre¬ 
senting  duplicate  parallel  components.  There 
are  two  parallel  paths  for  successful 
operation  —  Aj  or  A2.  If  the  probability  of 
each  component  operating  successfully  is 
Pj,  the  probability  of  circuit  success  can  be 
found  by  either  the  addition  theorem  or  the 
multiplication  theorem  of  probability  (see 
Chart  2-1,  Appendix  2). 


Figure  4-4.  Duplicate  Parallel  Redundancy 
(Operative  Case) 

By  the  multiplication  theorem,  the 
circuit  can  fail  only  if  both  components  fail. 
Since  Aj  and  A2  are  independent,  the  prob¬ 


ability  of  sucdess  is  equal  to  one  minus  the 
probability  that  both  components  fail,  or 

R  =  1  -  qiq2 

For  example,  if  pt  =  p2  =  0.9, 

R  =  1  -  (0.  I)2  =  0.99 

More  than  two  redundant  elements  are 
represented  by  the  reliability  block  diagram 
shown  in  Figure  4-5.  There  are  m  paths  (or 
elements),  at  least  one  of  which  must  be 
operating  for  system  success.  The  prob¬ 
ability  of  system  success  is  therefore  the 
probability  that  not  all  of  the  elements  will 
fail  during  the  mission  period,  shown  as 

R  =  1  -  qiq2.  .  .qm 

where  qt  =  1  -  Rj,  etc. 

If  parallel  elements  are  identical,  then 
R  =  1  -  qm 


Figure  4-5.  Multiple  Redundant  Array  of  m 
Elements,  with  k  =  1  Required  for  Success 
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At  o  t/0  FOR  A  BASIC  ELEMENT 


Figure  4-6.  System  Reliability  for  n  Element  Operative  Redundant  Configurations 


Figure  4-6  is  a  chart  relating  system 
reliability  to  the  ratio  t/0  =  At  of  individual 
elements  making  up  the  redundant  system. 
Curves  for  n  elements  (from  n  =  1  to  n  =  5) 
are  shown.  One  element  in  n  must  remain 
operative  for  the  prescribed  time  interval  t, 
to  achieve  the  probability  of  system  failure 
shown. 

EXAMPLE:  The  inverter  function  for 
an  airborne  system  has  been  allocated 
a  reliability  requirement  of  R(t)  =  .99 
for  a  5-hour  mission.  Current  pre¬ 
dictions  of  the  MTBF  feasibility  by 
conventional  design  is  50  hours. 
Entering  the  chart  at  t/0  =  5/50  =  0.1, 
proceed  vertically  to  .99,  the  required 
reliability  for  the  inverter  function. 


n  =  2  is  the  number  of  inverters  that 
are  required  in  active  parallel,  to 
obtain  a  99%  probability  of  survival 
for  the  inverter  function. 


4.2.2  Partial  Redundancy 

In  the  previous  example,  the  system 
was  successful  if  at  least  one  of  n  parallel 
paths  was  successful.  There  may  be  cases 
where  at  least  k  out  of  n  elements  must  be 
successful.  In  such  cases,  the  reliability 
of  the  redundant  group  is  given  by  a  series 
of  additive  terms  (binomial)  in  the  form  of 

P(k,  n|P)  =(jj)pk^  -P)n'k 
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EXAMPLE:  Figure 4-7  illustrates  three 
channels  of  a  receiver.  The  receiver 
will  operate  if  afr  least  two  channels 
are  successful,  that  is,  if  k  =  2  or 
k  =  3.  The  probability  of  each  channel 
being  successful  is  equal  to  p;  then 

R  =  P(2,  3 1 p )  +  P(3,  3 1  p ) 

R=Q)p2{1*p)  +Q)p3(l-p)° 

R  =  [3p2(l-p)]+p3 
R  =  3p2  -  2p3 


Figure  4-7.  Portia  I  Redundant  Configuration 
of  m  *  3  Elements,  with  k  =  2 
Required  for  Success 

Use  of  the  binomial  formula  becomes 
impractical  in  multi-element  partial  redundant 
configurations  when  the  values  of  n,  k,  and 
r  become  large.  In  these  cases,  the  normal 
approximation  may  be  used  as  outlined  in 
Paragraph  2.2.3  of  Appendix_2.-/  The 

—'See  also  almost  any  good  text  book  on  probability 
and  statistics. 


approach  can  be  best  illustrated  by  an 
example: 

EXAMPLE:  A  new  transmitting  array 
is  to  be  designed  using  1000  RF 
elements  to  achieve  design  goal  per¬ 
formance  for  power  output  and  beam 
width.  A  design  margin  has  been 
provided,  however,  to  permit  a  lO1® 
loss  of  RF  elements  before  system 
performance  becomes  degraded  below 
the  acceptable  minimum  level.  Each 
element  is  known  to  have  a  failure 
rate  of  1000  x  10*6  failures  per  hour. 
The  proposed  design  is  illustrated  in 
Figure  4-8,  where  the  total  number  of 
elements  is  n  =  1000;  the  number  of 
elements  required  for  system  success 
is  k  =  900;  and,  conversely,  the 


Figure  4-8.  Partial  Redundant  Array  with 
m  =  1000  Elements,  r  =  0,  50,  100,  150 
Permissible  Element  Failures  # 
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number  of  element  failures  permitted 
is  r  =  100.  It  is  desired  to  compute 
and  plot  the  reliability  function  for  the 
array. 

Each  discrete  point  for  time  (t)  on  the 
function  is  given  by  the  binomial  sum¬ 
mation  as: 

R,(t)  =  ip)  pxqn'x 

100 
=  2 
x=0 

where 

p  =  l-e*^1 

q  =  e*^1 

A  =  Element  failure  rate 

This  binomial  summation  can  be  ap¬ 
proximated  by  the  standard  normal 
distribution  function,  using  Table  2-II 
of  Appendix  2  to  compute  reliability 
for  the  normalized  statistic  Z: 

Rs(t)  =  F(Z) 


and 


X-  n(l  -  e~At) 
v/n(l  -  e*^1)  e'^‘ 


failures  are  permitted  and  one  element 
fails  each  hour  of  system  operation. 
A  preliminary  selection  of  discrete 
points  at  which  to  compute  reliability 
might  then  fall  in  the  80-  to  120-hour 
bracket. 

At  80  hours: 

P  .  np  .  1000(1  -  e-1000  ><  10'6  *  80) 

=  77 

q  =  e-1000  x  10"6  x  80  _  ^23 

o  =  /np  =  /7L07  =  8.4 
x  =  100 

7  100  -  77  _  97o 

A80  -  O  _ 

Rs(80)  =  F(Z80)  =  F(+2.73) 

=  .997,  from  Table  2-11 

At  100  hours: 

fi  =  np  =  1000(1  -  e*1000  x  10*6  x  10°) 

=  95 

q  _  e-1000  x  10*^  x  100  _ 

o  =  /  npq  =  /86  =  9.3 
x  =  100 


(1000)  Q_e-At)x(e-At)n-x 


Z  -  100  -  95  =  54 

By  observation,  it  can  be  reasoned  100  9.3 

that  system  MTBF  will  be  approxi¬ 
mately  100  hours,  since  100  element  Rs(100)  =  F(Zj  00)  =  R.54)  =  .705 
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Reliability  at  other  discrete  points  in 
time,  computed  as  above,  are: 

Time,  t  Z  F(Z)  =  Rs(t) 


90 

1.54 

.938 

95 

1.11 

.867 

105 

0 

.500 

110 

-  .42 

.337 

120 

-1.30 

.097 

130 

-2.13 

.017 

These  points  are  then  used  to  plot  the 
reliability  function  for  the  array,  shown 
in  Figure  4-9. 


of  failure  are  now  considered  —  open-circuit 
and  short-circuit  -  either  of  which  can  affect 
the  surviving  element  unless  proper  design 
precautions  are  taken.  In  series  redundant 
circuits,  the  open-circuit  mode  prevents 
surviving  elements  from  functioning;  in 
parallel  redundant  circuits,  the  short-circuit 
mode  prevents  the  surviving  elements  from 
functioning. 

The  probabilities  that  are  necessary 
to  describe  element  failure  can  best  be 
illustrated  by  an  example.  Assume  that  100 
randomly  selected  items  are  tested  for  a 
prescribed  time  to  determine  failure  prob¬ 
abilities.  The  results  are  as  follows: 


4.2.3  Failure  Modes  in  the 

Operative  Redundant  Cose 

The  previous  redundant  models  were 
based  on  the  assumption  of  one  mode  of 
failure,  adequately  protected  so  that  failure 
of  an  individual  element  could  not  affect  the 
operation  of  a  surviving  element.  Two  modes 


80  items  experienced  no  failure 
15  items  experienced  an  open  failure 
5  items  experienced  a  short-circuit 
failure 

Thus,  the  estimated  probability  of  success 
is  80/100  =  0.80.  The  estimated  probability 
of  an  open  failure  (q0)  is  0.15,  and  the 


Rs(t) 


SYSTEM  OPERATING  TIME  IN  HOURS,  t 
Figure  4-9.  Reliability  Functions  for  Partial  Redundant  Array  of  Figure  4-8. 
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estimated  probability  of  a  short-circuit  failure 
(qs)  is  0.05.  The  sum  of  the  two  failure 
probabilities  (opens  and  shorts  are  mutually 
exclusive  events)  is  the  probability  of 
element  failure  (q),  0.20.  This  could  have 
been  obtained  by  subtracting  the  probability 
of  element  success  (p)  from  one,  i.e.: 

q  =  1  -  p  =  +  qs 

The  conditional  probabilities  of  open 
and  short  failures  are  sometimes  used  to 
represent  element  failure  probabilities.  The 
data  indicate  that  15  of  the  20  failures  that 
occurred  were  due  to  opens.  Therefore,  the 
conditional  probability  of  an  open  failure  — 
i.e.,  the  probability  that  if  a  failure  occurs, 
it  is  an  open  failure  —  is  15/20  =  0.75. 
Similarly,  the  conditional  probability  of  a 
short-circuit  is  5/20  =  0.25.  If 

qj,  =  conditional  probability  of  an  open 

=  q„/q 

qlj  =  conditional  probability  of  a  short 

=  qs/q 

then  the  following  relationship  holds  true: 

q» +  qL  =  1 


Parallel  Elements: 

For  two  elements,  A  and  B  in  an 
operative-parallel  redundant  configuration, 
the  unit  will  fail  if  (1)  either  A  or  B  shorts, 
or  (2)  both  A  and  B  open.  The  probabilities 
of  these  two  events  are: 

(1)  P1(S)  =  Pa(S)  +  Pb(S)-Pa(S)Pb(S) 

=  1  -  [1  -  Pa(S)]  [1  -  Pb(S)] 


=  1-H-q.aHl-q.bl 

(2)  P2(0)  =  Pa(0)Pb(0) 

~  ^oaqob 

where  Pj(O)  is  the  probability  that  Element  i 
opens  and  P;(S)  is  the  probability  that 
Element  i  shorts.  Since  Events  (1)  and  (2) 
are  mutually  exclusive,  the  probability  of 
unit  failure  is  the  sum  of  the  two  event  prob¬ 
abilities,  or 

P(F)  =  R  =  P,(S)  +  P2(0) 

- 1  -  a  -  -  qSb} +  ^ob 


By  introducing  the  possibility  of 
short-circuit  failures,  unit  reliability  may  be 
decreased  by  adding  parallel  elements.  As 
an  example,  if  q0  =0.10,  the  reliability  for 
several  values  of  m  and  qs  is  as  shown  in 
Table  4-1. 


In  general,  if  there  are  m  parallel  elements, 

—  m  m 

R  =  1  -  n  (1  -  qsi)  +  n  qoi 
i~  l  i=  1 

The  reliability  is  equal  to  1  -  R,  or 

m  m 

R=  n  *  qoi 

i=  1  i=  1 

If  all  elements  are  equal,  unit  reliability  is 
then 

R  =  (1  -  qs)m  -  qom 


Optimum  Number  of  Parallel  Elements: 
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TABLE  4-1.  VALUES  OF  R  FOR  qe=  0.10  0.1  <  q  <0.2,  and  q8/qo  =  0.5 


Case  (a) 

q8  =  ° 

Case  (b) 
qs  =  0.05 

Case  (c) 
qs  =  0.10 

Case  (d) 
qs  =0.20 

m  =  1 

0.900 

0.85 

0.80 

0.70 

m  =  2 

0.990 

0.89 

0.80 

0.63 

m  =  3 

0.999 

0.86 

0.73 

0.51 

For  Cases  (a)  and  (b),  adding  one  parallel 
element  (m  =  2)  increases  unit  reliability. 
For  (a),  the  reliability  increases  as  m  in¬ 
creases  and  approaches  1  as  m  approaches 
infinity.  However,  for  (b),  increasing  m  from 
2  to  3  decreases  reliability.  In  fact,  the  re¬ 
liability  continues  to  decrease  as  m  gets 
larger.  Therefore,  for  Case  (b),  the  optimum 
number  of  parallel  elements  for  maximum  re¬ 
liability  is  2.  For  Case  (c),  R  is  the  same 
for  m  =  1  and  2,  but  is  less  for  m  =  3.  For 
Case  (d),  the  maximum  reliability  occurs  for 
m  =  1,  the  non-redundant  con  figuration. 

For  any  range  of  qo  and  qs,  the 
optimum  number  of  parallel  elements  is  1  if 
qs  >  q0.  For  most  practical  values  of  qs 
and  q0,  the  optimum  number  is  2. 

Figure  4-10  gives  the  optimum  number 
of  parallel  elements  for  values  of  q0  ranging 
from  0.001  to  0.5  and  for  the  ratio  qs/q 
ranging  from  0.001  to  1.0  (use  the  left-hand 
and  bottom  axes). 

Knowing  the  general  range  of  element  failure 
probabilities  and  possibly  knowing  the  ratio 
of  short  to  open  possibilities,  the  figure  can 
be  used  to  determine  the  optimum  number  of 
parallel  elements.  For  example,  if  it  is 
believed  that  overall  element  reliability  is 
somewhere  between  0.8  and  0.9  and  that 
opens  are  likely  to  occur  about  twice  as 
often  as  shorts,  then 


Since  qo  +  qs  =  q, 

0.1  <  3/2qo-<0.2 
or 

0-7  <  qo  <0.13 

For  each  of  the  values  of  qo  between  0.07 
and  0.13,  the  optimum  number  is  determined 
at  qo/qs  =  0.5.  If  this  number  is  the  same 
for  all  or  nearly  all  possible  values  of  qo, 
then  the  optimum  design  is  fairly  well 
established.  In  this  case,  Figure  4-10  shows 
that  2  is  the  optimum  number  of  parallel 
elements.  If  an  optimum  number  boundary 
line  is  crossed  somewhere  in  the  interval 
of  possible  values  of  q0,  then  it  will  be 
necessary  to  narrow  the  length  of  this  interval 
by  a  thorough  reappraisal  of  existing  failure 
data  or  by  tests  specifically  designed  to 
yield  more  precise  information. 


Series  Elements: 

The  results  given  above  show  that  if 
qs  2  qQ,  the  optimum  number  of  parallel 
paths  is  1.  However,  adding  an  element  in 
series  with  another  element  will  result  in  an 
increase  in  reliability  if  qs  is  much  greater 
than  qo.  Assume  we  have  a  system  made  up 
of  two  series  elements,  A  and  B,  in  which 
both  short-circuit  and  open  failures  are 
possible.  The  unit  will  fail  if  (1)  both  A  and 
B  short,  or  if  (2)  either  A  or  B  open.  The 
probabilities  of  Events  (1)  and  (2)  are: 

(1)  P,(S)  =  P„(S)Pb(S) 

=  9sa9sb 
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(2)  P2{0)  «  Pa(0)  +  Pb(0)  -  Pa(0)Pb(0) 
=  1  -  [1  -  pa(0)]  [1  -  Pb(0)] 

-  i-[i-qoaHi-qob] 

Since  Events  (1)  and  (2)  are  mutually  ex¬ 
clusive,  the  probability  of  unit  failure  is  the 
sum  of  two  events,  or 

P(F)  =  R  =  PjfS)  +  P2(0) 

=  qsaqsb+I-(1*qoa^1-qob^ 


In  general,  if  there  are  n  series  elements, 

R  =  1  -  n  (1  -qo.)  +  n  qsi 
i=l  i=l 

and 

R-  ”  »  q3i 

i=  1  i=l 

If  all  elements  are  identical,  then  the  re¬ 
liability  of  an  n-element  series  unit  is 

R  -  <1  -  q„)“  -  q,« 

Note  that  n  replaces  m  in  the  equation  for  a 
parallel  unit  and  the  positions  of  q0  and  qs 
are  reversed. 


Figure  4-10  can  be  used  to  determine 
the  optimum  number  of  series  elements  by 
using  the  upper  and  right-hand  £xes.  As  in 
parallel  systems,  if  q0  =  qs,  the  optimum 
number  of  series  elements  is  1. 

Series-Parallel  Elements: 

A  four^element  series-parallel  con¬ 
figuration  is  shown  in  Figure  4-11.  Each 
element  performs  the  same  function. 

Block  success  is  defined  as  an  output  from 
at  least  one  element.  Therefore,  the  block 
is  successful  if  (1)  either  unit  has  less  than 
two  opens,  and  (2)  at  least  one  unit  has  no 
shorts. 

(1)  Pj(O)  =  probability  that  at  least 

one  unit  has  2  opens 

=  1  -  probability  that  both  units 
have  at  least  1  ‘‘no  open” 

=  l-[l-Pai(0)Pa2(0)] 
[l-Pbl(0)Pb2(0)] 

(2)  P2(S)  =  probability  that  at  least 

1  element  in  each  unit  shorts 

-  [i-0-v»)0-p.s<»)] 

[l-(l-Pbi(S))(l-Pb2(S))] 


Figure  4-11.  Series-Parallel  Configuration 
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Then 

Pj(O)  +  P2(S)  =  probability  of 

block  failure 


1  -  (P.(O)  +  P,(S)3  =  reliability  of  block 

‘  =R,P 


Since 


loa^o 


2 


2 


2 


For  n  identical  units  each  containing  m 
elements, 


Pi(O)  = 


^oi 


and 


and  if  all  elements  are  identical, 


Pi®  =  qsi 

Then 

Rsp  =  £  *  %ai  ^oa7|Q  *  %bj  %b  J 


Q  •  *  -Q-O-O"]- 

If  qs  and  qo  are  small,  then 
Rsp  =sl'n(iom*(mqs)“ 

Parallel-Series  Elements 


E’(i-q*0(l",'0H 

When  the  units  are  identical  (Aj  =  Bj  and 
A  2  =  B2)  and  all  components  perform  the 
same  function,  then 


A  4-element  parallel-series  con¬ 
figuration  is  shown  in  Figure  4-12.  Each 
element  performs  the  same  function.  Success 
is  defined  as  an  output  from  at  least  one 
element.  Therefore,  the  block  is  successful 
if  (1)  at  least  one  path  has  no  opens,  and  (2) 
both  paths  have  less  than  two  shorts. 


Figure  4-12.  Parallel -Series  Configuration 
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(1)  P^O)  =  probability  that  at  least  one 

element  in  each  path  has  opened 


-n-(i-p.,(o))(i-%(°3 

[I.(l.Pbi(0,)(l.Pk2(o| 

(2)  P2(S)  =  probability  that  at  least  one 
path  has  two  shorts 

=  one  minus  the  probability  that 
both  paths  have  at  least  one 


If  all  paths  are  identical  (At  =  Bj  and  A2  - 
B2)  and  all  components  perform  the  same 
function, 

RpS  =  Q  -^sa  <sb]2 

-[1-(1-qoa)(1-q.b)]2 


a 

“no  short’’ 

1  -  PM  (S)  p>2  (sTJ 

For  m  identical  paths  each  containing  n 
elements, 

[T- pb,  (s>  pb2  is7j 

If  all  elements  are  identical, 

Then 

-D-o  •".)*]■ 

Pj(O)  +  P2(S)  =  probability  of  block  failure 

If  qo  and  qs  are  small, 

1  -  [Pt  (0) 

+  P2  (S)]  =  reliability  of  block 
=  R 

ps 

Since 

P  j(0) 

=  qoi 

4.2.4  Operative  Redundancy,  Switching 
Required 

and 

Pj(S) 

then 

rp.  -D  • 

=  %i 

qsaj  qsa  JO  ^sbj 

Until  now  we  have  dealt  with  circuits 
where  it  was  assumed  that  switching  devices 
were  either  absent  or  failure  free.  We  now 
deal  with  circuits  whose  redundant  elements 
are  continuously  energized  but  do  not  be¬ 
come  part  of  the  circuit  until  switched  in 
after  a  primary  element  fails.  We  will  con¬ 
sider  two  modes  of  failure  that  can  be  as¬ 
sociated  with  the  switching  mechanism: 

-[>• 

Type  (1).  The  switch  may  fail  to 
operate  when  it  is  supposed  to. 
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Type  (2).  The  switch  may  operate 
without  command  (prematurely). 

in  the  following  discussion, 

q8  =  probability  of  a  Type  (1)  failure 

q;  *  probability  of  a  Type  (2)  failure 

Two  Paralioi  Elements 

Consider  the  system  in  Figure  4-13. 

There  are  three  possible  element  states  that 
could  lead  to  system  failure: 

1.  A  succeeds,  B  fails 

2.  A  fails,  B  succeeds 

3.  A  fails,  B  fails 

The  unreliability  of  the  system,  R,  is  found 
from 

R  «  Pa^q's  +  ^Pb^  +  ^b 

If  we  are  not  concerned  with  Type  (2) 
failures, 

q's  =  o 


and  the  unreliability  is 

Rd  =  qaPb^s  +  qaqb  | 

=  qaqs +  qapsqb 

As  an  example,  assume 
qa  =  qb  =  0.2 
and  qs  =  q‘s  =  0.1 

Then 

R  =  Pa^'s  +  qapbqs  +  qaqb 

=  (0.8K0.2K0. 1)  +  (0.2X0. 8)(0. 1)  +  (0.2H0.2) 

=  0.072 
R  =  1  -  R 
=  1  -  0.072 
=  0.928 
if  qa  =  0, 

Rd  =  qa9s  +  qaP  s9b 

=  (0.2X0. 1)  +  (0.2X0.8X0.2) 


Figure  4-13.  Redundancy  with  Switching 
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=  0.052 
RD  =  1  -  0.052 


—  A  succeeds,  S  switches  to  B, 
B  fails,  S  does  not  switch 
to  C. 


=  0.948 

Thrat  Parallel  Elements 


5.  —  A  succeeds,  S  switches  to 

5  B,  B  succeeds,  S  switches 
to  C. 


Figure  4-14  illustrates  this  type 
circuit.  It  operates  as  follows:  If  A  fails, 
S  switches  to  B.  If  B  then  fails,  S  switches 
to  C.  Enumerating  all  possible  switching 
failures  shows  two  kinds  of  Type  (1)  failure 
and  four  kinds  of  Type  (2)  failure: 


6.  —  A  fails,  S  switches  to  B,  B 

6  succeeds,  S  switches  to  C. 

The  possible  states  of  operation  of 
elements  A,  B,  and  C  and  also  switching 
failure  that  will  cause  system  failure  for 
each  state  are  shown  in  Table  4— II. 


Figure  4-14.  Three-Element  Redundant 
Configurations  with  Switching 

Type  (1 )  Switching  Failures: 

1.  q_  —  A  fails,  S  does  not  switch  to 

B. 

2.  qs  —  A  fails,  S  switches  to  B,  B 

fails,  S  fails  to  switch  to  C. 

Type  (t)  Switching  Failures: 

3.  q'  —  A  succeeds,  but  S  switches 

83  to  B. 


The  probability  of  system  failure  can 
be  found  by  summing  up  the  probabilities  of 
individual  combinations  or  operating  states 
which  result  in  system  success,  each  mul¬ 
tiplied  by  the  probability  of  a  switching 
failure  which  would  produce  system  failure 
in  each  state;  i.e.: 

R  =  I  Piq9i 

1=1 

or,  as  shown  in  Table  4-11, 

R  =  Ps%%(i,s3  +  Pb9aqc  (q9l  +  q’s6> 

+  pcqaqb  (q8l  +  qS2) 

+  p9Pb9cq  9j +  PaPcqbq  9^ 

+  PbPcqaq9l  +  qaqbqc 

(Primes  denote  “static”  or  Type  (2) 

switch  failures) 

If  the  probability  of  Type  (2)  switching 
failures  is_very  small  (q^j  =  0),  and  qsl  = 
q  2  =  qs,  R  can  be  found  directly  from  the 
following  equation: 

R  =  qaq9  +  qap9qbq9  +  qap9qbP9qc 
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TABLE  4-11.  STATES  OF  OPERATION  OF  A  THREE  PARALLEL  ELEMENT 
CIRCUIT  WITH  DECISION  AND  SWITCHING  DEVICE 


Operating 

State 

(i) 

Operating  Condition 

Switching 

Failure 

Resulting 
in  System 

Failure 

R  =  i  ?>% 

i=  1 

Succeed 

Fail 

1 

A 

BC 

s3 

ABCs3 

2 

B 

AC 

sl  or  s6 

ABC(sj+s6) 

3 

C 

AB 

Sj  or  s2 

ABC(¥j+s^) 

4 

AB 

C 

s5 

ABC(s5) 

5 

AC 

B 

S4 

ABC(s4) 

6 

BC 

A 

S1 

ABCfsj) 

7 

ABC 

- 

Cannot  fail 

ABC 

8 

- 

ABC 

Always  fails 
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4.3  VOTING  REDUNDANCY 


Figure  4*15.  Three-Element  Voting  Redundancy 


Figure  4-15  shows  three  elements, 
A,  B,  and  C,  and  the  associated  switching 
and  comparator  circuit  which  make  up  a  voting 
redundant  system.  The  circuit  function  will 
always  be  performed  by  an  element  whose 
output  agrees  with  the  output  of  at  least  one 
of  the  other  elements.  At  least  two  good 
elements  are  required  for  successful 
operation  of  the  circuit.  Two  switches  are 
provided  so  that  a  comparison  of  any  two 
outputs  of  the  three  elements  can  be  made. 
A  comparator  circuit  is  required  that  will 
operate  the  two  switches  so  that  a  position 
is  located  where  the  outputs  again  agree  after 
one  element  fails. 

If  comparison  and  switching  are  failure 
free,  the  system  will  be  successful  as  long 
as  two  or  three  elements  are  successful.  In 
this  case, 


If  failure-free  switching  cannot  be  assumed, 
conditional  probabilities  of  switching 
operation  have  to  be  considered.  To  simplify 
the  discussion,  consider  the  probability  of 
the  comparator  and  switches  failing  in  such 
a  manner  that  the  switches  remain  in  their 
original  positions.  If  this  probability  is 
qs,  then 

R  =  PaPb  +  (PaPc  +  PbPc  '  2PaPbPc)(1  * 


EXAMPLE:  Let  all  three  elements 

have  the  same  probability  of  success, 
0.9;  i.e.,  pa  =  Pb  =  pc  =  0.9.  Assume 
that  the  comparator-switch  has  a  prob¬ 
ability  of  failing  (qs)  of  0.01: 

R  =  .9Z  +  [(.9) 2  +  (.9)2  -  2(.9)3]  [1  -  .01] 


R  =  P«Pb  +  PaPc  +PbPc  *2PaPbPc 


P  =  .970 
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4.4  STANDBY  REDUNDANCY 


In  a  system  with  redundant  elements 
on  a  completely  standby  basis  (not  energized), 
no  time  is  accumulated  on  a  secondary 
element  until  a  primary  element  fails.  For  a 
two-element  system  (Figure  4-16)  the  re¬ 
liability  function  can  be  found  directly  as 
follows:  The  system  will  be  successful  at 
time  t  if  either  of  the  following  two  con¬ 
ditions  hold  (let  A  be  the  primary  element): 

(1)  A  is  successful  up  to  time  t. 

(2)  A  fails  at  time  tj  <  t,  and  B 
operates  from  t!  to  t. 


Figure  4-16.  Diagram  Depicting  a 
Standby  Redundant  Pair 


The  mean-time-to-failure  of  the  system  is 
Aa  +  Ab 

MTBF  = 

Vb 

=  when  0a  £  0b 

=  20  when  *0  =  0.  =  0 

a  d 

For  n  elements  of  equal  reliability, 

R(t)  =  e'Xt  “i1  Ml 

r  =  o  r! 

MTBF  =  "  =  n0 

Figure  4-17  is  a  chart  relating  system 
reliability  to  the  reliability  of  individual 
standby  redundant  parallel  elements  as  a 
function  of  mission  time,  t/0.  By  entering 
the  chart  at  the  time  period  of  interest  and 
proceeding  vertically  to  the  allocated  reli¬ 
ability  requirement,  the  required  number  of 
standby  elements  can  be  determined. 


For  the  exponential  case  where  the 
element  failure  rates  are  Aa  and  Ab,  reliabil¬ 
ity  of  the  standby  pair  is  given  by 


Aa  -(Ab)t 

vO 


This  is  a  form  of  the  mixed  exponential  and 
it  does  not  matter  whether  the  more  reliable 
element  is  used  as  the  primary  or  as  the 
standby  element.  If  Aa  =  Ab  =  A, 

R(t)  =  e-At(l  +  At) 


EXAMPLE :  A  critical  element  within 
a  system  has  a  demonstrated  MTBF, 
0  =  100  hours.  A  design  requirement 
has  been  allocated  to  the  function  per¬ 
formed  by  this  element  of  Rs  =  .98  at 
100  hours,  corresponding  to  a  30-to-l 
reduction  in  unreliability  below  that 
which  can  be  achieved  by  a  single  ele¬ 
ment.  In  this  case,  n  =  4  will  satisfy 
the  design  requirement  at  t/0  =  1;  i.e., 
a  four-element  standby  redundant  con¬ 
figuration  would  satisfy  the  require¬ 
ment.  Failure  rates  of  switching  de¬ 
vices  must  next  be  taken  into  account. 
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Figure  4-17.  System  Reliability  for  n  Standby  Redundant  Elements 


4.5  DEPENDENT  FAILURE  PROBABILITIES 


Up  to  this  point,  it  has  been  assumed 
that  the  failure  of  an  operative  redundant 
element  has  no  effect  on  the  failure  rates  of 
the  remaining  elements.  This  might  occur, 
for  example,  with  a  system  having  two  ele¬ 
ments  in  parallel  where  both  elements  share 
the  full  load. 


An  example  of  conditional  or  dependent 
events  is  illustrated  by  Figure  4-18.  A  and 
B  are  both  fully  energized,  and  normally 
share  or  carry  half  the  load,  1/2L.  If  either 
A  or  B  fails,  the  survivor  must  carry  the  full 


B 


Figure  4-18.  Load-Sharing  Redundant 
Configuration 
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load,  L.  Hence,  the  probability  that  one 
fails  is  dependent  on  the  state  of  the  other, 
if  failure  probability  is  related  to  load  or 
stress.  The  system  is  operating  satisfac¬ 
torily  at  time  t  if  either  A  or  B  or  both  are 
operating  successfully. 


TIME  AXIS  - 1 - 1 

0  t,  t 

CONDITION  ... 

«) - - - - 


(2) - - A  B' 


(3)— £ -  B  A' 


Figure  4-19.  Success  Combinations  in 
Two-Element  Load-Sharing  Case 


Figure  4-19  illustrates  the  three  pos¬ 
sible  ways  the  system  can  be  successful. 


The  bar  above  a  letter  represents  a  failure 
of  that  element.  A  primed  letter  represents 
operation  of  that  element  under  full  load; 
absence  of  a  prime  represents  operation  under 
half  load.  If  the  elements’  failure  times  are 
exponentially  distributed  and  each  has  a 
mean  life  of  0  under  load  L/2  and  0'  =  0  k 
under  load  L(k  >  0),  block  reliability  is  given 
below  without  derivation: 


0S  =  0/ k  +  0/2 

When  k  =  1,  the  system  is  one  in 
which  load-sharing  is  not  present  or  an  in¬ 
creased  load  does  not  affect  the  element 
failure  probability.  Thus,  for  this  case,  0S 
is  equal  to  30/2.  If  there  were  only  one 
element  it  would  be  operating  under  full  load, 
so  system  mean  life  would  be  O'  =  0/k. 
Hence,  the  addition  of  a  load-sharing  ele¬ 
ment  increases  the  system  mean  life  by  0/2. 
This  increase  in  mean  life  is  equivalent  to 
that  gained  when  the  elements  are  indepen¬ 
dent,  but  the  overall  system  reliability  is 
usually  less  because  O'  is  usually  less  than 
0(k  >  1). 


RM  20'  -t /O'  0  -2 1/0 

R(t)  ~  20'-  0  '  20'-  0 


System  mean  life  is  equal  to 


4.6  OPTIMUM  ALLOCATION  OF  REDUNDANCY 


Decision  and  switching  devices  may 
fail  to  switch  when  required  or  operate  in¬ 
advertently.  However,  these  devices  are 


usually  necessary  for  redundancy,  and  in¬ 
creasing  the  number  of  redundant  elements 
increases  the  number  of  switching  devices. 


A4-24 


NAVWEPS  00-65-502 


If  such  devices  are  completely  reliable,  re¬ 
dundancy  is  most  effective  at  lower  system 
levels.  If  switching  devices  are  not  failure- 
free,  the  problem  of  increasing  system  relia¬ 
bility  through  redundancy  becomes  one  of 
choosing  an  optimum  level  at  which  to  re¬ 
plicate  elements. 

Since  cost,  weight,  and  complexity 
factors  are  always  involved,  the  minimum 


amount  of  redundancy  that  will  produce  the 
desired  reliability  should  be  used.  Thus 
efforts  should  be  concentrated  on  those  parts 
of  the  system  which  are  the  major  causes  of 
system  unreliability. 

As  an  example,  assume  that  we  have 
two  elements,  A  and  B,  with  reliabilities 
over  a  certain  time  period  of  0.95  and  0.50, 
respectively.  If  A  and  B  are  joined  to  form 
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a  series  non-redundant  circuit,  its  reliability 
is 

R  =  (0.95X0.50)  =  0.475 

If  we  duplicate  each  element,  as  in  Figure 
4- 20a, 

R,  =  11- (0.50)2]  [1- (0.50)2] 

=  0.748 

Duplicating  Element  B  only,  as  in  Figure 
4- 20b, 

R2  =  0.95  [1- (0.50)2] 

=  0.712 

Obviously,  duplicating  Element  A  contributes 
little  to  increasing  reliability. 

Triplication  of  B  gives  the  configura¬ 
tion  shown  in  Figure  4-20c,  and 


R3  =  0.95  [1 -(0.5)3] 

=  0.831 

R3  gives  a  75%  increase  in  original  circuit 
reliability  as  compared  to  the  58%  increase 
of  Rr 

If  complexity  is  the  limiting  factor, 
duplicating  systems  is  generally  preferred  to 
duplicating  elements,  especially  if  switching 
devices  are  necessary..  If  another  series  path 
is  added  in  parallel,  we  have  the  configura¬ 
tion  in  Figure  4-20d,  and 

R4  =  1  -  (1  -  .475)2 
=  0.724 

R4  is  oniy  slightly  less  than  Ri-  If  switches 
are  necessary  for  each  redundant  element, 
R4  may  be  the  best  configuration.  A  careful 
analysis  of  the  effect  of  each  element  and 
switch  on  system  reliability  is  a  necessary 
prerequisite  for  proper  redundancy  application. 


4.7  REDUNDANCY -WITH-REPAIR 


In  certain  instances  it  may  be  more 
practical  to  design  a  system  with  built-in 
“on-line”  maintenance  features  to  overcome 
a  serious  reliability  problem  than  to  concen¬ 
trate  on  improving  reliability  of  the  compo¬ 
nents  giving  rise  to  the  problem.  Redundancy- 
with-repair  can  be  made  to  approach  the 
upper  limit  of  reliability  (unity),  contingent 
on  the  rate  with  which  element  failures  can 
be  detected  and  repaired  or  replaced.  The 


system  thus  continues  on  operational  status 
while  its  redundant  elements  are  being  re¬ 
paired  or  replaced,  so  long  as  these  repairs 
are  completed  before  their  respective  redun¬ 
dant  counterparts  also  fail. 

There  are,  in  general,  two  types  of 
monitoring  that  may  be  used  for  failure  de¬ 
tection  in  systems  employing  redundant 
elements: 
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(1)  Continuous  monitoring  —  element 
failures  are  recognized  at  the  in¬ 
stant  they  occur  and  repair  or  re¬ 
placement  action  begins  immedi¬ 
ately.  It  is  assumed  that  repairs 
can  be  made  at  the  rate  of  g  per 
hour,  where  g  is  the  mean  of  an 
exponential  distribution  of  repair 
times. 

(2)  Interval  monitoring— the  system  is 
checked  for  element  failures  every 
T  hours.  Failed  elements  are  re¬ 
placed  with  operable  elements. 
Here  it  is  assumed  that  the  times 
required  to  monitor  the  elements 
and  make  replacements  are  negli¬ 
gible. 


4.7.1  Continuous  Monitoring 

The  reliability  equation  for  two  re 
dundant  elements  is: 


_  s,t  s.  t 

R(t)  ,  sie  2  -  V  1 
sl-s2 

In  the  case  of  operative  redundancy, 


S1  = 

1  P 

f>  + 

Vg2  H 

h  6gA  4 

— 1 

s2  = 

-iLL3A  - 

*  ft)  - 

\f~g2 

+  6gA 

,Aj 

For  standby  redundancy, 

sl  = 

-~[(2A  + 

\J  g2  - 

v  4gx"j 

s2  = 

+ 

ft)' 

+  4gx] 

The  reliability  equations  for  these  two  cases 
are  plotted  in  Figure  4-21  and  Figure  4-22. 


EXAMPLE :  Two  similar  elements  with 
MTBF’s  of  100  hours  are  to  be  used 
as  a  redundant  pair.  The  mean-time- 
to-repair  for  each  element  is  10  hours. 
Determine  the  reliability  of  the  pair 
for  a  23-hour  mission  when  used  as  (a) 
an  operative  redundant  pair,  and  (b)  a 
standby  redundant  pair. 

The  graphs  of  the  reliability  equations, 
Figures  4-21  and  4-22,  are  given  in 
terms  of  At  and  g/A.  From  the  infor¬ 
mation  given,  A  =  1/MTBF  =  10"2,  t  =  23 
hours,  and  g  =  l/(repair  time)  =  10'1. 
Hence,  At  =  .23  and  g/A  =  10.  By  means 
of  the  graphs,  the  reliability  for  the 
two  cases  is  found  to  be: 

Operative  redundancy: 

R(23  hours)  =  .9760 

Standby  redundancy: 

R(23  hours)  =  .9874 

When  comparing  the  reliability  of  two 
situations  that  exceed  .90,  as  above,  it  is 
more  meaningful  to  compare  the  unreliabil¬ 
ities.  In  this  case,  a  comparison  of  .0240 
versus  .0126  shows  about  a  2-to-l  difference 
in  unreliability  between  the  operative  and 
the  standby  case,  in  favor  of  the  latter. 


4.7.2  Interval  Monitoring 

The  reliability  equations  for  interval 
monitoring  require  that  the  mission  time  be 
expressed  as  two  components,  t  =  nT  +  d. 
The  number  of  times  the  elements  will  be 
monitored  during  the  mission  (t)  is  given  by 
n;  T  is  the  time  interval  between  monitoring 
points;  and  d  is  the  time  between  the  last 
monitoring  point  and  the  end  of  the  mission. 
Module  replacement  or  switching  time  is  as¬ 
sumed  to  be  zero. 
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For  standby  redundancy: 


R(t)  =  (2e-Xd-e-2Ad)(2e-AT-e-2XT)n  R(t)  =  (1  +  AT)n(l  +  Ad)e-At 


rt(») 


Figure  4-23.  Reliability  Functions  (or  Several  Cases  of  Interval  Monitoring  and  Repair 


EXAMPLE :  Two  similar  elements  with 
MTBF’s  of  100  hours  are  to  be  used 
as  a  redundant  pair.  The  pair  will  be 
monitored  every  3  hours.  When  a  de¬ 
fective  element  is  found,  it  will  be 
replaced  by  an  operable  element  im¬ 
mediately.  We  wish  to  determine  the 
reliability  of  the  pair  for  a  23-hour 
mission  when  used  as  an  operative 
redundant  pair.  From  the  above,  it  is 
determined  that  t  =  23  hours,  n  =  7, 
nT  =  21,  and  d  =  2  hours.  As  in  the 
previous  example,  A  =  10*2. 


R(23  hours)  =  (2e"02-e-04)(2e-03-e'*06)7 
=  .9935 

Figure  4-23  presents  reliability 
functions  normalized  with  respect  to 
operating  time  t/0,  for  five  cases  of 
T/d  monitoring  intervals,  to  illustrate 
the  reliability  potential  of  designs 
which  provide  this  redundancy  with 
interval  monitoring  and  on-line  repair 
capability. 
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Reliability,  General  Coverage 
Reliability  Prediction  and  Analysis 
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Redundancy 
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Reliability  Bibliographies 
Periodicals 
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section  on  the  application  to  reliabil¬ 
ity  testing.) 
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tables  with  explanations  on  their  use.) 

138.  Department  of  Commerce,  Tables  of  the 
Exponential  Function  ex,  Applied 
Mathematics  Series  14,  National  Bureau 
of  Standards.  (A  most  extensive  set. 
Also  includes  e'x.) 

139.  Hald,  A.,  Statistical  Tables  and 
Formulas,  John  Wiley  and  Sons,  New 
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(Values  of  p  from  .01  to  .50  and  n  from 
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special  IBM  card  format  if  user  desires 
to  set  up  an  edge-punched  card  system.) 

149.  Mendenhall,  W.,  A  Bibliography  of  Life 
Testing  and  Related  Topics,  Bio- 
metrika,  No.  45,  1958,  pp  521-543. 
(Approximately  6 20  references  clas¬ 
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published  in  the  Proceedings  or  the 
Transactions  of  the  PGQRC-IRE. 

154.  Ylvisaker,  Donald,  Bibliography  for 

Probabilistic  Models  Related  to 
Guided  Missile  Reliability,  Proceed¬ 
ings  Exploratory  Conference  on  Missile 
Range  Model  Design  for  Reliability 
Prediction,  2nd  Meeting,  White  Sands, 
New  Mexico,  October  1958.  (84 

references.) 
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Journals  of  Technical  Societies, 

Industries,  and  Agencies 

Annals  of  Mathematical  Statistics  (In¬ 
stitute  of  Mathematical  Statistics, 
Michigan  State  College) 

Bell  System  Technical  Journal  (Bell 
Telephone  Laboratories) 

Bureau  of  Ships  Technical  Journal 
(Bureau  of  Ships,  Navy  Department) 

Electrical  Engineering  (American  So¬ 
ciety  of  Electrical  Engineers) 

IBM  Journal  of  Research  and  Develop¬ 
ment  (International  Business 
Machines  Corporation) 

Industrial  Quality  Control  (American 
Society  for  Quality  Control,  Mil¬ 
waukee,  Wisconsin) 

IRE  Transactions  (Transactions  of 
Professional  Group  on  Reliability 
and  Quality  Control) 

Journal  of  American  Statistical  As¬ 
sociation 

Lubrication  Engineering  (American 
Society  of  Lubrication  Engineers) 

Operations  Research  (Operations  Re¬ 
search  Society  of  America) 

Phillips  Technical  Review  (Phillips 
Research  Laboratories) 

RCA  Review  (Radio  Corporation  of 
America) 


SAE  Journal  (Society  of  Automotive 
Engineers) 

Sylvania  Technologist  (Syl  vania 
Electric  Company) 

Wear  (Elsevier  Publishing  Company, 
Amsterdam  Holland) 

Technical  Magazines 

Automatic  Control  (Reinhold  Publish¬ 
ing  Company) 

Aviation  W  eek  (McGraw-Hill  Publishing 
Company) 

Control  Engineering  (McGraw-Hill 
Publishing  Company) 

E  lectrical  Manufacturing  (Cono  ver-M  ast 
Publications,  Inc.) 

Electromechanical  Design  (Benwill 
Publishing  Corporation) 

Electronic  Design  (Hayden  Publishing 
Company) 

Electronic  Equipment  Engineering 
(Sutton  Publishing,  Inc.) 

Electronic  Industries  (Chilton  Publish¬ 
ing  Company) 

Electronics  (McGraw-Hill  Publishing 
Company) 

Machine  Design  (Penton  Publishing 
Company) 

M  ate  rials  in  Design  Engineering 
(Reinhold  Publishing  Company) 


B- 15 


B-8  to  B-9 


NAVWEPS  00-65-502 


Missiles  and  Rockets  (American 
Aviation  Publications) 

Product  Engineering  (McGraw-Hill 
Publishing  Company) 


Space-Aeronautics  (  Sp  a  c  e/Aeronau- 
tics,  Inc.) 

Test  Engineering  (Mattingley  Publish¬ 
ing  Company) 


B-9  CONVENTIONS  AND  SYMPOSIA 


Aircraft  and  Missiles  Division  Conference  — 
Sponsored  by  American  Society  for 
Quality  Control  (ASQC).  (Proceedings 
published) 

Annual  Meeting  -  American  Society  of 
Mechanical  Engineers  (ASME).  (Pro¬ 
ceedings  published) 

Annual  Meeting  —  American  Statistical  As¬ 
sociation  (ASA).  (Papers  summarized 
in  the  first  J.A.S.A.  issue  published 
after  the  meeting.  Regional  meetings 
are  also  held.) 

Design  Engineering  Conference  —  Sponsored 
by  A.S.M.E.  (Proceedings  published) 


Joint  Military-Industry  Symposium  on 
Guided  Missile  Reliability  - 
Sponsored  by  Department  of  De¬ 
fense.  (Proceedings  published) 


National  Convention  on  Aeronautical 
Electronics  —  Sponsored  by  I.R.  E. 
Professional  Group  on  Aeronautical 
and  Navigational  Electronics.  (Pro¬ 
ceedings  published) 

National  Convention  -  American  Society  for 
Quality  Control.  (Proceedings 
published.  Regional  meetings  also 
held.) 


Electronic  Components  Conference  - 
Sponsored  by  American  Institute  of 
Electrical  Engineers  (A.I.E.E.), 
Electronic  Industries  Association 
(E.I.A.),  Institute  of  Radio  Engineers 
(I.R.E.),  West  Coast  Electronic  Manu¬ 
facturers  Association.  (Proceedings 
published) 


National  Conference  on  Electron  Devices  — 
Sponsoredby  I.R. E.  Professional  Group 
on  Electron  Devices. 

National  Convention  on  Military  Electronics  — 
Sponsoredby  I.R.  E.  Professional  Group 
on  Military  Electronics.  (Proceedings 
published) 


NAVWEPS 

National  Meeting  of  the  Operations  Research 
Society  of  America.  (Abstracts 
published) 


National  Symposium  on  Reliability  and 
Quality  Control  —  Sponsored  by 
A.I.E.E.,  A.S.Q.C.,  E.I.A.,  l.R.E. 
(Proceedings  published) 


Navy-Industry  Conference  on  Material  Re¬ 
liability  —  Sponsored  by  the  BuWeps- 
Industry  Material  Reliability  Ad¬ 
visory  Board  (B1MRAB).  (This 
conference  provides  perhaps  the 
best  overall  coverage  of  BuWeps 
reli  -ability  plans,  programs,  and 
problems.  Copies  of  annual  con¬ 
ference  proceedings  are  available 
upon  request  to  Secretary  of  BIMR-AB, 
•  Attention:  F.  W.  Snyder,  Bureau  of 
Naval  Weapons,  Department  of  the 
Navy,  Washington  25,  D.C.) 
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Signal  Maintenance  Symposium  —  Sponsored 
by  U.  S.  Army  Signal  Corps.  (Pro¬ 
ceedings  published) 


Society  of  Testing  Materials  Convention. 
(Proceedings  published) 


Statistical  Engineering  Symposium  — 
Sponsored  by  Army  Chemical  Center, 
Maryland.  (Proceedings  published) 


Symposium  on  Electro-Magnetic  Relays  — 
Sponsored  by  National  Association  of 
Relay  Manufacturers  (NARM).  (Pro¬ 
ceedings  published) 


Symposium  on  Friction  and  Wear  —  Sponsored 
by  General  Motors  Research  Foundation 
Laboratories.  (Proceedings  published) 
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INDEX 
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A 

Ac  cap  tone* 

See  also  Tests 

Accept/ reject  boundary  determination,  7-4,  7-11 
Definition  of,  7-1 

Graphic  boundary  representation,  7-11 
Mathematical  method  for  determining  bound¬ 
aries,  7-4 

Operational  characteristic  (OC)  curve,  6-17 
Risk  of  acceptance  of  rejectable  result  (/3), 

6- 14,  6-20,  6-22 

Risk  of  rejection  of  acceptable  result  (a),  6-14, 
6-16,  6-22 

Table  of  test  failures,  7-6,  7-14 
Tolerance  limits,  6-15 
Truncation  of  tests,  7-19 

Active  Element  Group  (AEG) 

Description,  2-19 
MTBF  vs  Complexity,  plot  2-20 
Parts  count,  complexity,  5-7 
Reliability  feasibility,  2-24 

"Ambient"  Problems 

Sources  of,  8-11 

Treatment  of  to  improve  reliability,  8-11 
Avaifab  fifty 

See  also  Tactical  Availability; 

Requirement  description,  1- 18 

B 

Block  Diagrams 

Functional,  2-4,  2-5,  2-6,  5-4 
Reliability,  2-13,  2-15,  5-5,  5-6 

c 

Complexity 

See  Active  Element  Group 

Confidence 

See  Reliability  Estimation 
Measure  of,  6-1 

Confidence  Limits 

See  also  Reliability  Estimation 

Application,  6-4 

Determination,  6-5,  6-15 

Estimated  for  mission  reliability,  A3-12 

One-sided,  curve  for,  A3-11,  A- 18  to  A-23 

Tables,  A 3-7,  A3-9 

Two-sided,  curve  for,  A3- 1 2 

Used  to  estimate  reliability,  A3-8 

Consumer's  Risk 

As  defined  for  MTBF  acceptance  testing,  7-3 
As  defined  for  reliability  acceptance  testing, 

7- 11 


Contractor  Reliability  Program 

Design  review,  3-2 

Development  testing,  3-4 

Failure  reporting,  3-5 

Monitoring,  3-5 

Reliability  analysis,  3-4 

Reliability  in  production,  3-3 

Response  to  RFP,  3-10 

Requirements,  3-7 

Specifications,  3-8 

Subcontractor  and  vendor  control,  3-3 

Corrective  Action 

Determined  throu^i  analysis,  8-15 

Coat-Time  Relationship 

Complexity,  9-2 
Design,  9-2 

Estimating  Procedures,  9-6 
Factors,  9-2 

D 

Decision 

Tests  required  for,  7-16 
To  truncate,  7-19 

Dependability  Plan 

See  Technical  Development  Plan  (TDP) 

TDP  Section  10,  4-6 

Design  Reviews 

Analysis  reports,  3-9 
By  contractor,  3-2 

Designing  for  Reliability 

Block  diagram,  use  of,  5-2 
Design  proposal  phase,  5-2 
Development  phase,  5-2 
Failure  mode,  predominant,  5-21 
Procedural  steps  in  assessment  of,  5-2 
Use  of  mathematical  model  techniques,  5-1,  5-2 
Use  of  redundancy  and  micro-electronics,  5-19, 
10-3,  10-5 

Development  Test(s) 

See  also  Tests 
Contractor’s  program,  3-2 
Definition  of,  6-1 
Designer’s  tool,  6-2 

Evaluation  of  development  progress,  6-2 
Feedback  cycle,  6-1,  6-2 
Quality  design  for  prototype,  6-2 

Documentation  for  Reliability 

Check  list,  source  data,  4-2 
Contract,  4-10,  10-10 
RFP,  4-10 

Specification,  4-9,  10-8 
Technical  development  plan,  4-3 


Index  1 


NAVWEPS  00-65-502 


E 

Environment 

Condition*,  6-3 

Exponential  Distribution 

See  also  Reliability  Estimation 
Analytics]  method  for  testing,  A3-5 
Definition  of,  A2-27 
Relationship  to  Poisson,  A2-28 
Typical  failure  rate  curve,  A2-29 

F 

Failure  Analysis 

As  contributor  to  reliability  design,  8-1 
*Contractor/s  feedback,  3-5 
Data  organization,  8-3 
Data  plotting,  8-4 
Part  reference  designators,  by,  8-8 
Procedures  for,  8-3 
Regression  analysis,  8-18 
Wearout  phenomena,  8-16 

Failure  Mode 

Evaluation  and  effects,  5-19 
Open,  5-20 
Short,  5-20 
Tolerance,  5-20 

Foilure  Rote 

Estimation  of,  A3-1 
Module  failure  rate,  5-15 
Subsystem  failure  rate,  5-16 
Transistor  failure  rates,  curve  for,  5-11 

Feasibility  Estimation  and  Allocation 
Availability/maintainability,  2-36 
Levels  of  feasibility,  2-35 
Procedural  steps  for,  2-21 
Reliability,  2-19,  2-35 
Time  and  Costs  for  Development,  9-1 

Feedback 

Closing  the  feedback  loop,  8-18 
Corrective  action,  8-15 
Data  forms,  8-1 
Failure  information,  8-2 
Follow-up,  8-8 

(n  development  tests,  6-1,  6-2 

H 

Handbooks  and  Publications 

See  Reference  Documents 

Hypothesis 

Acceptance  of,  6-14 
Alternate  hypothesis,  7-3 
Investigative  test  to  formulate,  6-2 
''Null'’  hypothesis  in  acceptance  testing,  7-3, 
7-10 

Rejection  oJ,  6-14 

Test  of,  6-14 

Teat  to  verify,  6-2,  6-21 


I 

Inherent  Reliability 

Definition  of,  1-16 

Instructions 

See  Reference  Documents 

Intrinsic  Availability 

Definition  of,  1-20 


L 

Ufa  Cycle 

Phases  of,  1-4 
Reference  documents,  1-5 
Reliability  growth,  1-2 


M 

Maintainability 

Assess  maintainability  improvement,  8-15 
Assurance  program,  4-7 
Definition  of,  1-22,  8-13 
Estimate  of,  8-14 
Mean-time-to-restore  (MTR),  8-13 
Procedural  steps  for  evaluation  of,  8-13 
Suggested  specification  coverage,  4-20 
Two  methods  of  defining,  4-21 

Maintainability /Availability 

Definition  of  requirements,  2-17 
Estimation  of  in  design  phase,  2-36 
Feasibility  evaluation,  2-42 
Procedural  steps  for  estimation  of,  2-36 
Relationship  between,  2-18 

Mathematical  Modeling  Techniques 

Applications  of,  5-1,  5-22,  5-23 

Maverick  Units 

Annalysis  within  modules,  8-8 
Effect  of  treatment  of  maverick  problems  on 
reliability,  8-10 

Evaluation  of  in  failure  analysis,  8-8 
How  to  identify,  8-6 

Mean  Life 

Estimation  of,  A3-1,  A3-6 

Ratio  of  lower  limit  to  observed,  curve  for,  A3-10 

Mean-Time-Between-Failure  (MTBF) 

Computation  of  with  redundant  combinations, 

A4-5 

Confidence  limits  on,  6-5 

Conversion  to  probzbility,  nomograph,  A3-3 

Determination  of,  6-5 

Meon-Time-To-Restore  (MTR) 

Definitions,  1-22 

Micro-Electronics 

Used  in  designing  for  reliability,  5-19,  10-3 
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Mission  Profit* 

See  also  Specifications,  Technical  Development 

Plan 

Typical  operational  sequence,  4-14 

Monitoring 

See  also  Reporting  and  Monitoring 
Coverage  in  specification,  4-8 
Milestones  for,  4-4 
PERT,  adapted  to  reliability,  10-10 

N 

Nomograph 

Used  in  reliability  estimation,  A3-3 

“Null"  Hypothesis 

In  acceptance  testing,  7-3,  7-10 


0 

Operating  Characteristic  (OC)  Curve 

For  sequential  test  plan,  7-8,  7-15 
In  test  design,  6-17 

Operational  Effectiveness 

Computation  of,  1-15 
Definition  of,  1-14 

Procedural  steps  for  defining  requirements,  2-3 

Operative  or  Active  Redundant  Configurations 

See  also  Redundancy 
Dependent  failures,  A4-23 
Failure  modes,  A4-11 
Multiple  redundancy,  A4-7 
Parallel  elements,  A4-12 
Parallel-series  elements,  A4-16 
Partial  redundancy,  A4-8 
Series  elements,  A4-13 
Series-parallel  elements,  A4-15 
Switching,  A4-17 

Operational  Readiness 

See  Availability;  Tactical  Availability 

Operational  Reliability 

Concept,  1-15 
Definition  of,  1-14 

Operational  Requirements 

Allocation  among  subsystems,  2-11 
Definition  of,  2-2 

Specific  operational  requirement,  2-1 


P 

Performance  Capability 
Definition  of,  I- 10 

Probability 

Definition  of,  A2-1 

Fundamental  rules  for  computing,  A2-5 


Probability  Distribution 

Binomial,  A2-14,  A2-15 
Continuous,  A2-12 

Cumulative,  A2-13,  A2-20,  A2-21,  A2-24 

Definition  of,  A- 2- 12 

Discrete,  A2-12 

Normal,  A2-22 

Poisson,  A2-14,  A2-17 

f 

Producer's  Risk 

As  defined  for  MTBF  acceptance  testing,  7-3 
As  defined  for  reliability  acceptance  testing,  7-11 

Program,  Reliability  Assurance 

See  Reliability  Assurance  Program 

Proposal 

Evaluation,  3-10 


Q 

Quality  Assurance 

Specification  of  program  4-23 


R 

Redundancy 

Allocation  of,  A4-24 
Classifications  of,  A4-6 
Combinations,  A4-3 
Computation  of  MTBF,  A4-5 
Levels  of,  A4-1 
Load-sharing,  A4-6 
Monitoring,  A4-27 
Operative,  A4-6 
Parallel,  A4-4 

Probability  notation  for,  A4-2 
Reliability  block  diagram,  A4-2 
Series  and  parallel,  A4-4 
Standby,  A4-6 
Switching,  A4-6,  A4-17 
Voting,  A4-6 

With  micro-electronics  for  reliability  improve¬ 
ment,  5-19 

With  repair,  A4-6,  A4-26,  10-7 

Reference  Documents 

Applicable  for  life  cycle,  1-5 

Regression  Analysis 

See  also  Statistical  Analysis 
*  Best  fit,  6-8 
Computation,  6-11 
Data  Analysis,  6-8,  6-21 
Determination  of  relationships,  6-8 
Standard  deviation,  6-13 
Tolerance  limits,  6-13 
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Reliability 

Allocation,  2-29 
Assurance  program,  4-6 
Avionics  equipment,  1-24 
Designing-in,  6-1 
Determination  of  observed,  6-4 
Documents  applicable,  1-5 
Estimate  of,  8-9 
Example  of  improvement,  8-16 
Feasibility  estimation,  2-19,  2-34 
Four  methods  of  defining,  4-16 
Levels  of,  2-35 

Minimum  acceptable  reliability,  6-13,  7-2,  7-10, 
10-9 

Nominal  reliability,  7-2,  7-10,  10-9 
Notation  in  redundancy  combinations,  A4-2 
Present  status,  1-23 

Probability  and  time  relationships,  nomograph 
for,  A3-3 

Procedural  steps  for  evaluation  of,  8-9 
Redundant  combination,  A4-3 
Relationship  to  operational  effectiveness,  1-9 
Shipboard  equipment,  1-25 

Specifying  quantitative  requirements,  4-15,  4-17, 
10-9 

Time  dependency,  4-16 

Reliability  Acceptance  Test 

Approval  of  contractor’s  plan,  3-9 

Reliability  Analyses 

Design  and  prediction  reports,  3-16 
Periodic  Analysis,  3-4 

Reliability  Assurance  Program 

Contractor  requirements  in,  3-2 
Purposes  of,  3-1 

Reliability  Data 

Exchange  of,  8-21 
Sources  for,  8-9,  8-21 

Reliability  Estimation 

Confidence  limits,  A3-6 
Exponential  assumption,  A3-2 
Nomograph,  A3-3 
Procedures  for,  A3-1 
Time  and  Costs,  9-1 

Reliability  Formulae 

Addition  theorem,  A2-2,  A2-5 
Binomial  law,  A2-2,  A  2-6 
Combination  theorem,  A2-2,  A2-4 
Multiplication  theorem,  A2-2,  A2-5 
Permutation  theorem,  A2-2,  A2-3 

Reliability  Functions 

Exponential  distribution,  A2-27 
Operating  life,  curve,  A2-29 

• 

Reliability /Maintainability 

Analysis,  specification  of,  4-22 
Assurance  program,  4-22 
Contractor’s  reports,  4-23 
Milestones,  4-7 


Reporting  and  Monitoring 

Design  analysis  and  prediction,  3-16 
During  design,  3-13 
During  production,  3-17 
During  prototype  development,  3-16 
During  service  test,  evaluation,  and  Fleet  per¬ 
formance,  3-17 
PERT,  3-10,  9-9,  10-10 
Progress  evaluation,  3-9,  3-13,  3-16 
Progress  reports,  3-13,  3-16 
Technical  reports,  3-6,  3-13 

Request  for  Proposal 

Provisions  therein  for  reliability,  3-9 

Requirements  Analysis 

Availability  and  maintainability  requirements, 
2-17 

Mission  profiles,  operating  time,  and  duty 
cycles,  2-9 

Performance  requirements,  2-11 
Procedural  steps  for,  2-3 
Reliability  requirements,  2-13 
System  functions  and  boundaries,  2-3 
Use  conditions,  2-7 

Risks 

Allowable  risk,  7-11 
Conaummer’s  risk,  7-3 
Effect  of  truncation  on,  7-19 
Producer’s  risk,  7-3 


s 

Sequential  Test  Plans 

Comparison  of  MTBF  and  proportion  unreliable, 
7-21 

Design  of  for  MTBF  acceptance,  7-2 
Design  of  for  reliability  acceptance,  7-10 
Effec  t  of  redundancy  on,  7-13 
Craphic  representation,  7-4,  7-14 
In  acceptance  testing,  7-1 
MTBF  or  failure  rate  tests,  7-1 
Probability  of  survival  tests,  7-1 
To  provide  comparison  of  exponential  and  non¬ 
exponential  tests,  7-21 


Specific  Operational  Requirement  (SOR) 

Phase  of  system  life  cycle,  1-4 

Specifications 

See  also  Reference  Documents 
Design  objectives,  4-15 
Procedural  steps  for  specifying  reliability/ 
maintainability,  4-11 

Two  methods  of  specifying  reliability,  4-10 
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Standard* 

See  Reference  Documents 

Standby  Redundancy 

See  Redundancy 

Statistical  Analysis 

See  also  Regression  Analysis 
“Chi-Square  Test  of  Independence”,  6-23 
Confidence,  6-3 
Inferences  (decisions),  6-3 
Requirements,  6-3 
Sample  size,  6-3,  6-16 
Scattergram,  6-10 

Stress 

Analysis,  example,  5-15 
Part  base  failure  rate,  5-8 
Temperature  derating  curve,  5-13 
Temperature  derating  diagram,  5-10 

Subcontractor  and  Vendor  Control 

See  Reliability  Program 

System  Effectiveness 

See  Operational  Effectiveness 

System  Life  Cycle 

See  Life  Cycle 

System  Requirements 

See  Specification;  Technical  Development  Plan 


T 

Tactical  Availability 

See  also  Operational  Readiness 
Composition  and  relationships,  1-19 
Definition  of,  1-14,  1-20 

Technical  Development  Plan  (TOP) 

Documentation  of  reliability/maintainability 
requirements,  4-3 

Establish  reliability/maintainability  milestones, 

4- 7 

Format  for,  4-3 

Primary  management  document,  4-3,  9-1 
Role  for  future  development,  1-27 

Temperature 

Temperature  derating  curves,  electron  tubes, 

5- 10,  5-13 

Temperature/wattage  derating  resistors,  5-14 


Testfs) 

Accelerated,  6-3 

Acceptance,  6-1,  6-15 

Design,  6-2,  6-3,  6-5,  6-8,  6-16,  6-22 

Development,  6-1 

Empirical  design  technique,  6-2 

Example  of,  6-4,  6-8 

Implementation  of,  6-3,  6-5,  6-20 

Objectives,  6-3,  6-5,  6-14,  6-21 

Of  comparison,  6-21 

Of  hypothesis,  6-2,  6-13 

Of  Inquiry,  6-4 

Of  investigation,  6-2 

Of  verification,  6-2,  6-14 

Plan,  6-16 

Qualification,  6-1 

Reliability,  6-1 

Replacement,  6-5 

Requirements,  6-5,  6-15,  6-22 

Tast  and  Evaluation  Plan 

Section  12  of  TDP,  4-8 
Specification  of,  4-22 

Test  Design 

See  also  Test 

Discrimination  ratio  (k),  6-16 
Sample  size,  6-16 

Operational  characteristic  (OC)  curve,  6-17 

Tolerances 

Correction  for,  factor,  5-17 
Failure  mode,  5-20 

Training  Requirements 

Section  13  of  TDP,  4-9 

Training  for  Reliability/Maintainability 

Course  outline,  3-19 

Truncation 

As  used  in  acceptance  testing,  7-19 
Graphic  representation,  7-4 

u 

Use  Conditions 

See  Specifications 
Environment 

Technical  Development  Plan 

Use  Reliability 

See  Operational  Reliability 

V 

Voting  Redundancy 

See  also  Redundancy 
Comparison  and  switching,  A4-21 
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